Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
14OWDrfahJ.exe

Overview

General Information

Sample Name:14OWDrfahJ.exe
Original Sample Name:725dbfed269993cb9944c2e1f7bde652.exe
Analysis ID:1345577
MD5:725dbfed269993cb9944c2e1f7bde652
SHA1:7104f1350e38ec3c3ea49154f1bba976572cb271
SHA256:6db8fff48b37469101d280c3e60463c27ace26ea8076e94e358ae74e49fb46ac
Tags:exeLummaStealer
Infos:

Detection

PrivateLoader, RedLine, RisePro Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected PrivateLoader
Tries to steal Mail credentials (via file / registry access)
Found stalling execution ending in API Sleep call
PE file has a writeable .text section
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Contains functionality to inject code into remote processes
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found decision node followed by non-executed suspicious APIs
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains long sleeps (>= 3 min)
May check the online IP address of the machine
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Creates a start menu entry (Start Menu\Programs\Startup)
Installs a Chrome extension
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 14OWDrfahJ.exe (PID: 7296 cmdline: C:\Users\user\Desktop\14OWDrfahJ.exe MD5: 725DBFED269993CB9944C2E1F7BDE652)
    • Ey3OF47.exe (PID: 7312 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe MD5: A8089B11ACB5AEB2755B87605CC0365C)
      • BC5tT98.exe (PID: 7328 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe MD5: CC54031BCC9F48998C7AE467ACF73422)
        • 2Iu7231.exe (PID: 7344 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe MD5: EFBF47DBDF08AC3A28C0236D9C0A4C27)
          • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • AppLaunch.exe (PID: 7984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 89D41E1CF478A3D3C2C701A27A5692B2)
        • 3rB05VU.exe (PID: 8008 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe MD5: 5158C4F1C895E03E3157643FBA44BF15)
          • schtasks.exe (PID: 8044 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 8092 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 7468 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: EF3179D498793BF4234F708D3BE28633)
  • rundll32.exe (PID: 7600 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: EF3179D498793BF4234F708D3BE28633)
  • rundll32.exe (PID: 7740 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: EF3179D498793BF4234F708D3BE28633)
  • OfficeTrackerNMP131.exe (PID: 8156 cmdline: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe MD5: 5158C4F1C895E03E3157643FBA44BF15)
  • OfficeTrackerNMP131.exe (PID: 8172 cmdline: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe MD5: 5158C4F1C895E03E3157643FBA44BF15)
  • MaxLoonaFest131.exe (PID: 10520 cmdline: "C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe" MD5: 5158C4F1C895E03E3157643FBA44BF15)
  • MaxLoonaFest131.exe (PID: 10636 cmdline: "C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe" MD5: 5158C4F1C895E03E3157643FBA44BF15)
  • FANBooster131.exe (PID: 10828 cmdline: "C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe" MD5: 5158C4F1C895E03E3157643FBA44BF15)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: RedLine

{"C2 url": "194.49.94.152:19053", "Bot Id": "horda", "Authorization Header": "0014dde57a94712eabdc7d8099852c2b"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 19 88 44 24 2B 88 44 24 2F B0 C2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
          C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exeJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              0000000B.00000002.2372767482.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0000000C.00000002.2581262150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                    00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 8 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      11.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        3.2.2Iu7231.exe.bf000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          3.2.2Iu7231.exe.bf000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            0.3.14OWDrfahJ.exe.5046420.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                              0.3.14OWDrfahJ.exe.5046420.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                              • 0x700:$s3: 83 EC 38 53 B0 19 88 44 24 2B 88 44 24 2F B0 C2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                              • 0x1e9d0:$s5: delete[]
                              • 0x1de88:$s6: constructor or from DllMain.
                              Click to see the 15 entries

                              Sigma Signatures

                              No Sigma rule has matched

                              Snort Signatures

                              Timestamp:194.49.94.152192.168.2.450500497392046266 11/21/23-04:17:53.738836
                              SID:2046266
                              Source Port:50500
                              Destination Port:49739
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497392046267 11/21/23-04:17:53.938221
                              SID:2046267
                              Source Port:50500
                              Destination Port:49739
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.419053497372043234 11/21/23-04:17:53.161550
                              SID:2043234
                              Source Port:19053
                              Destination Port:49737
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249736505002049060 11/21/23-04:17:52.523115
                              SID:2049060
                              Source Port:49736
                              Destination Port:50500
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497402046266 11/21/23-04:17:53.817185
                              SID:2046266
                              Source Port:50500
                              Destination Port:49740
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249736505002046269 11/21/23-04:17:57.323617
                              SID:2046269
                              Source Port:49736
                              Destination Port:50500
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497362046266 11/21/23-04:17:52.401609
                              SID:2046266
                              Source Port:50500
                              Destination Port:49736
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249739505002046269 11/21/23-04:17:58.568287
                              SID:2046269
                              Source Port:49739
                              Destination Port:50500
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497362046267 11/21/23-04:17:52.593099
                              SID:2046267
                              Source Port:50500
                              Destination Port:49736
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249737190532043231 11/21/23-04:18:06.317470
                              SID:2043231
                              Source Port:49737
                              Destination Port:19053
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497402046267 11/21/23-04:17:54.018834
                              SID:2046267
                              Source Port:50500
                              Destination Port:49740
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497442046266 11/21/23-04:18:05.978094
                              SID:2046266
                              Source Port:50500
                              Destination Port:49744
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497452046266 11/21/23-04:18:14.273521
                              SID:2046266
                              Source Port:50500
                              Destination Port:49745
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:194.49.94.152192.168.2.450500497462046266 11/21/23-04:18:23.010239
                              SID:2046266
                              Source Port:50500
                              Destination Port:49746
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249737190532046045 11/21/23-04:17:52.975741
                              SID:2046045
                              Source Port:49737
                              Destination Port:19053
                              Protocol:TCP
                              Classtype:A Network Trojan was detected
                              Timestamp:192.168.2.4194.49.94.15249740505002046269 11/21/23-04:18:30.103136
                              SID:2046269
                              Source Port:49740
                              Destination Port:50500
                              Protocol:TCP
                              Classtype:A Network Trojan was detected

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus detection for URL or domain
                              Source: 194.49.94.152:19053Avira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeAvira: detection malicious, Label: HEUR/AGEN.1305142
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeAvira: detection malicious, Label: HEUR/AGEN.1323769
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeAvira: detection malicious, Label: HEUR/AGEN.1305142
                              Found malware configuration
                              Source: 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "194.49.94.152:19053", "Bot Id": "horda", "Authorization Header": "0014dde57a94712eabdc7d8099852c2b"}
                              Multi AV Scanner detection for submitted file
                              Source: 14OWDrfahJ.exeReversingLabs: Detection: 50%
                              Source: 14OWDrfahJ.exeVirustotal: Detection: 56%Perma Link
                              Antivirus / Scanner detection for submitted sample
                              Source: 14OWDrfahJ.exeAvira: detected
                              Multi AV Scanner detection for domain / URL
                              Source: 194.49.94.152:19053Virustotal: Detection: 16%Perma Link
                              Multi AV Scanner detection for dropped file
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeVirustotal: Detection: 65%Perma Link
                              Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeVirustotal: Detection: 65%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exeVirustotal: Detection: 65%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeVirustotal: Detection: 66%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeVirustotal: Detection: 54%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeVirustotal: Detection: 62%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeVirustotal: Detection: 56%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeVirustotal: Detection: 34%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeVirustotal: Detection: 65%Perma Link
                              Machine Learning detection for sample
                              Source: 14OWDrfahJ.exeJoe Sandbox ML: detected
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00752F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00752F1D
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00012F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,1_2_00012F1D
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,2_2_00BA2F1D
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_00081000 KiUserExceptionDispatcher,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,3_2_00081000
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00811560 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,12_2_00811560
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00031560 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,17_2_00031560
                              Source: 14OWDrfahJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49738 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49741 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49742 version: TLS 1.2
                              Source: 14OWDrfahJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831) source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831nJM source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\tempAVSMIf5cNgqvav9.pdb\*.*m source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.*31/ source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb*12 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb** source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: p.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb?rH source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2D source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tion Data\A source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wextract.pdbGCTL source: 14OWDrfahJ.exe, BC5tT98.exe.1.dr, Ey3OF47.exe.0.dr
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbolsntkrnlmp.pdbwW source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2t source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2d source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb.O) source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdb%k6 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: mp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831r source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2j source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb*ta source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2b source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Datarnlmp.pdbr source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\CXJ source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdbA source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.* source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb*.* source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbAcrobat source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2G?; source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb**e\ source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831e\*.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbol source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbcrobat\DCa source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831O source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831tate~X source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\*.*@\ source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Denylmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\tempAVSaeI8GhtgT29e.pdb\*.*Y source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb\*X source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbAcrobatpData\1 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\tempAVSgsImjMYlWzR3.pdb\*.*^7 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdbs\*O7 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpadnlmp.pdb\ source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\tempAVSaeI8GhtgT29e.pdb\*.**.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdbs*Te source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdbFGw source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdbe\*s\ source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58310 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb\*.*Q source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tory source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831che source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2I source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: lmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: .pdb\*.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\tempAVSMIf5cNgqvav9.pdb\*.*" source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Datanlmp.pdbr* source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb*.*.*\*? source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wextract.pdb source: 14OWDrfahJ.exe, BC5tT98.exe.1.dr, Ey3OF47.exe.0.dr
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbeegkt source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583106e source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbZ source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbDCH source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.* source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb5|7 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tData\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AC\** source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdb*.*Gp source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ata source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbbets source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbC8 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: rnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nlmp.pdb\ source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbcrobat\DC source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbathe source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbeees source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\tempAVSEtti_jQBHy11.pdb\* source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdbcrobat source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSmnUz2tnF899j.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbat source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58318 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb-j source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2f source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831&! source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ownload.error= source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2mp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbn)+4 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831" source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2j source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbted8bbwe source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb*elrw source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbtDi source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbobeTemp source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\l source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2]! source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb\*.* source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2B source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SymbolsFA1AC2p.pdb}Cd source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdbemp source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\*he-p source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831MY source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2story source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.*k source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes\**8 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Yara detected PrivateLoader
                              Source: Yara matchFile source: 17.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.2.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.0.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.0.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.2.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzcookies.sqliteJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00752390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00752390
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00012390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00012390
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00BA2390
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FEA60 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,12_2_007FEA60
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FB990 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,12_2_007FB990
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00829AA0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,12_2_00829AA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A93BA FindClose,FindFirstFileExW,GetLastError,12_2_008A93BA
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A9440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,12_2_008A9440
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00811B60 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,12_2_00811B60
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001EA60 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,17_2_0001EA60
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001B990 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,17_2_0001B990
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00049AA0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,17_2_00049AA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C93BA FindClose,FindFirstFileExW,GetLastError,17_2_000C93BA
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C9440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,17_2_000C9440
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00031B60 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,17_2_00031B60
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_070E1848
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_070E196F
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F13F4h11_2_0D7F0CA8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F643Dh11_2_0D7F5F80
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F4BF7h11_2_0D7F3998
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F1AC3h11_2_0D7F17F8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F267Fh11_2_0D7F22E8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0D7F2A73h11_2_0D7F22E8

                              Networking

                              barindex
                              Snort IDS alert for network traffic
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49736
                              Source: TrafficSnort IDS: 2049060 ET TROJAN Suspected RisePro TCP Heartbeat Packet 192.168.2.4:49736 -> 194.49.94.152:50500
                              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP) 194.49.94.152:50500 -> 192.168.2.4:49736
                              Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) 192.168.2.4:49737 -> 194.49.94.152:19053
                              Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49737 -> 194.49.94.152:19053
                              Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 194.49.94.152:19053 -> 192.168.2.4:49737
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49739
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49740
                              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP) 194.49.94.152:50500 -> 192.168.2.4:49739
                              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP) 194.49.94.152:50500 -> 192.168.2.4:49740
                              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity) 192.168.2.4:49736 -> 194.49.94.152:50500
                              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity) 192.168.2.4:49739 -> 194.49.94.152:50500
                              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity) 192.168.2.4:49740 -> 194.49.94.152:50500
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49744
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49745
                              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token) 194.49.94.152:50500 -> 192.168.2.4:49746
                              Yara detected PrivateLoader
                              Source: Yara matchFile source: 17.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.2.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.0.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.0.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.2.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, type: DROPPED
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: 194.49.94.152:19053
                              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                              Source: unknownDNS query: name: ipinfo.io
                              Source: unknownDNS query: name: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: Joe Sandbox ViewASN Name: EQUEST-ASNL EQUEST-ASNL
                              Source: Joe Sandbox ViewIP Address: 194.49.94.152 194.49.94.152
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                              Source: global trafficTCP traffic: 192.168.2.4:49736 -> 194.49.94.152:50500
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ocsp.thawte.com0
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                              Source: 3rB05VU.exe.2.drString found in binary or memory: http://www.winimage.com/zLibDll
                              Source: OfficeTrackerNMP131.exe, 00000011.00000003.2283329805.0000000003DC9000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283612605.0000000003DBA000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283305020.0000000003DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomple
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: OfficeTrackerNMP131.exe, 00000011.00000003.2283329805.0000000003DC9000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283612605.0000000003DBA000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283305020.0000000003DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/f
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: OfficeTrackerNMP131.exe, 00000011.00000003.2283329805.0000000003DC9000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283305020.0000000003DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/search
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2263669444.0000000003888000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2267666589.0000000003888000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwWeb Data.18.dr, 3b6N2Xdh3CYwWeb Data.12.dr, D87fZN3R3jFeWeb Data.18.dr, D87fZN3R3jFeWeb Data.12.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/a
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2222685763.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000000.2217497768.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000003.2218839974.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000000.2237844332.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2360401589.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2885751133.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000000.2238719070.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, MaxLoonaFest131.exe, 00000013.00000000.2359759982.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000013.00000002.2390326126.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000014.00000000.2442392337.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000014.00000002.2450878543.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, FANBooster131.exe, 00000016.00000002.2538983831.0000000000936000.00000002.00000001.01000000.0000000F.sdmp, FANBooster131.exe, 00000016.00000000.2530405181.0000000000936000.00000002.00000001.01000000.0000000F.sdmp, MaxLoonaFest131.exe.12.dr, FANBooster131.exe.12.dr, OfficeTrackerNMP131.exe.12.dr, 3rB05VU.exe.2.drString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-address
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/89.149.18.60
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/89.149.18.60
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.microsoft.
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.microsoft..
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://support.mozilla.org
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                              Source: 3rB05VU.exe, 0000000C.00000003.2253176691.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2250590767.0000000003349000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2265820672.0000000003876000.00000004.00000020.00020000.00000000.sdmp, IWPfiAXUTJTSHistory.18.dr, 02zdBXl47cvzHistory.12.dr, IWPfiAXUTJTSHistory.12.dr, 02zdBXl47cvzHistory.18.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                              Source: IWPfiAXUTJTSHistory.18.dr, 02zdBXl47cvzHistory.12.dr, IWPfiAXUTJTSHistory.12.dr, 02zdBXl47cvzHistory.18.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                              Source: 3rB05VU.exe, 0000000C.00000003.2253176691.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2250590767.0000000003349000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2265820672.0000000003876000.00000004.00000020.00020000.00000000.sdmp, IWPfiAXUTJTSHistory.18.dr, 02zdBXl47cvzHistory.12.dr, IWPfiAXUTJTSHistory.12.dr, 02zdBXl47cvzHistory.18.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                              Source: IWPfiAXUTJTSHistory.18.dr, 02zdBXl47cvzHistory.12.dr, IWPfiAXUTJTSHistory.12.dr, 02zdBXl47cvzHistory.18.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                              Source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/Ris
                              Source: FANBooster131.exe, 00000016.00000002.2539274464.000000000109E000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.12.dr, i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip.17.dr, 9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip.12.dr, passwords.txt.17.drString found in binary or memory: https://t.me/RiseProSUPPORT
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT&
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: 3rB05VU.exe, OfficeTrackerNMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362547750.000000000363F000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2887214445.0000000004131000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.17.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, 3b6N2Xdh3CYwplaces.sqlite.17.dr, D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/j
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/~
                              Source: D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata4S
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/xR
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362547750.000000000363F000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2887214445.0000000004131000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.17.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, 3b6N2Xdh3CYwplaces.sqlite.17.dr, D87fZN3R3jFeplaces.sqlite.12.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/sfox
                              Source: unknownDNS traffic detected: queries for: ipinfo.io
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080CA80 send,recv,recv,WSAGetLastError,recv,recv,recv,recv,__aulldiv,__aulldiv,send,Sleep,recv,Sleep,12_2_0080CA80
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: global trafficHTTP traffic detected: GET /widget/demo/89.149.18.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: ipinfo.io
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownTCP traffic detected without corresponding DNS query: 194.49.94.152
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49738 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49741 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49742 version: TLS 1.2

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Yara detected SmokeLoader
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FC190 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,12_2_007FC190

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: 0.3.14OWDrfahJ.exe.5046420.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                              PE file has a writeable .text section
                              Source: 4eD052Od.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .NET source code contains very large array initializations
                              Source: 3.2.2Iu7231.exe.bf000.1.raw.unpack, -Module-.csLarge array initialization: _003CModule_003E: array initializer size 2400
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00753BA20_2_00753BA2
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00755C9E0_2_00755C9E
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00013BA21_2_00013BA2
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00015C9E1_2_00015C9E
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA3BA22_2_00BA3BA2
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA5C9E2_2_00BA5C9E
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000810003_2_00081000
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000AA2513_2_000AA251
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000813703_2_00081370
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000AAA493_2_000AAA49
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_070E3FF711_2_070E3FF7
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_070E184811_2_070E1848
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_070E1FB011_2_070E1FB0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_070E01B011_2_070E01B0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_070E183911_2_070E1839
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_072C084811_2_072C0848
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_072C1B6811_2_072C1B68
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_072C083811_2_072C0838
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_072C1B5911_2_072C1B59
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F2D2011_2_0D7F2D20
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F7DE011_2_0D7F7DE0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F0CA811_2_0D7F0CA8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F5F8011_2_0D7F5F80
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F399811_2_0D7F3998
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F8B2811_2_0D7F8B28
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7FDAD011_2_0D7FDAD0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F17F811_2_0D7F17F8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F004011_2_0D7F0040
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F53C011_2_0D7F53C0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F22E811_2_0D7F22E8
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 11_2_0D7F53B011_2_0D7F53B0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0082C06012_2_0082C060
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0084419012_2_00844190
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008241F012_2_008241F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008182C012_2_008182C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0083A2F012_2_0083A2F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081E20012_2_0081E200
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081E25012_2_0081E250
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080052012_2_00800520
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081A53012_2_0081A530
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008466C012_2_008466C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FEA6012_2_007FEA60
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00826AB012_2_00826AB0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00814BC012_2_00814BC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00820DB012_2_00820DB0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00834D5012_2_00834D50
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0089EE1012_2_0089EE10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0082CE4012_2_0082CE40
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0082909012_2_00829090
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FD0B012_2_007FD0B0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0084317012_2_00843170
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081B29012_2_0081B290
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0082546012_2_00825460
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0082354012_2_00823540
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0089F78012_2_0089F780
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0083F72B12_2_0083F72B
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080F77012_2_0080F770
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081588012_2_00815880
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008CD86E12_2_008CD86E
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008459B012_2_008459B0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00829AA012_2_00829AA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00835AA012_2_00835AA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00809B2012_2_00809B20
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00827DC012_2_00827DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080BD1012_2_0080BD10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00847EA012_2_00847EA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00807FA012_2_00807FA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00813F2012_2_00813F20
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00811F5012_2_00811F50
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008CA1A012_2_008CA1A0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0089A1D012_2_0089A1D0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008701F012_2_008701F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C816812_2_008C8168
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007F222012_2_007F2220
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AC3A012_2_008AC3A0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008983C012_2_008983C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B036012_2_008B0360
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080BD1012_2_0080BD10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007F240012_2_007F2400
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B242012_2_008B2420
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C05C012_2_008C05C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086E5F012_2_0086E5F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C06F012_2_008C06F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AC65012_2_008AC650
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B279012_2_008B2790
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00809B2012_2_00809B20
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087099012_2_00870990
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008829C012_2_008829C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008069D012_2_008069D0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C49E012_2_008C49E0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087897012_2_00878970
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A4B9012_2_008A4B90
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FAB0012_2_007FAB00
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00809B2012_2_00809B20
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00836FF012_2_00836FF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B2FF012_2_008B2FF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C0F0012_2_008C0F00
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00872F4012_2_00872F40
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008710ED12_2_008710ED
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008DD10912_2_008DD109
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087922012_2_00879220
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0081D32012_2_0081D320
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087132912_2_00871329
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B135012_2_008B1350
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007F738012_2_007F7380
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B14A012_2_008B14A0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086D44012_2_0086D440
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0080545012_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008DB5C012_2_008DB5C0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008775F012_2_008775F0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A36B012_2_008A36B0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008E367012_2_008E3670
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086B73012_2_0086B730
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0083199012_2_00831990
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008799E012_2_008799E0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00839A9012_2_00839A90
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AFAF012_2_008AFAF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086FA1012_2_0086FA10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008CDBB012_2_008CDBB0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00825BDE12_2_00825BDE
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C1C7012_2_008C1C70
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B1E8012_2_008B1E80
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00809B2012_2_00809B20
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00885E0012_2_00885E00
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008B3F9012_2_008B3F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086DF7012_2_0086DF70
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0004C06017_2_0004C060
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0006419017_2_00064190
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000441F017_2_000441F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003E20017_2_0003E200
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003E25017_2_0003E250
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000382C017_2_000382C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0005A2F017_2_0005A2F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0002052017_2_00020520
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003A53017_2_0003A530
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000666C017_2_000666C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001EA6017_2_0001EA60
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00046AB017_2_00046AB0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001AB0017_2_0001AB00
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00034BC017_2_00034BC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00054D5017_2_00054D50
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00040DB017_2_00040DB0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000BEE1017_2_000BEE10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0004CE4017_2_0004CE40
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0004909017_2_00049090
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001D0B017_2_0001D0B0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0006317017_2_00063170
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003B29017_2_0003B290
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0004546017_2_00045460
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0004354017_2_00043540
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0005F72B17_2_0005F72B
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0008B73017_2_0008B730
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0002F77017_2_0002F770
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000BF78017_2_000BF780
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000ED86E17_2_000ED86E
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003588017_2_00035880
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000659B017_2_000659B0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00049AA017_2_00049AA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00055AA017_2_00055AA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00029B2017_2_00029B20
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0002BD1017_2_0002BD10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00047DC017_2_00047DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00067EA017_2_00067EA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00033F2017_2_00033F20
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00031F5017_2_00031F50
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00027FA017_2_00027FA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E816817_2_000E8168
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000EA1A017_2_000EA1A0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000BA1D017_2_000BA1D0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000901F017_2_000901F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001222017_2_00012220
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D036017_2_000D0360
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CC3A017_2_000CC3A0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000B83C017_2_000B83C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001240017_2_00012400
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D242017_2_000D2420
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0002BD1017_2_0002BD10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E05C017_2_000E05C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0008E5F017_2_0008E5F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CC65017_2_000CC650
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E06F017_2_000E06F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D279017_2_000D2790
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00029B2017_2_00029B20
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009897017_2_00098970
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009099017_2_00090990
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000A29C017_2_000A29C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000269D017_2_000269D0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E49E017_2_000E49E0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C4B9017_2_000C4B90
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00029B2017_2_00029B20
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E0F0017_2_000E0F00
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00092F4017_2_00092F40
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00056FF017_2_00056FF0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D2FF017_2_000D2FF0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000910ED17_2_000910ED
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000FD10917_2_000FD109
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009922017_2_00099220
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009132917_2_00091329
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0003D32017_2_0003D320
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D135017_2_000D1350
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001738017_2_00017380
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0008D44017_2_0008D440
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0002545017_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D14A017_2_000D14A0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000FB5C017_2_000FB5C0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000975F017_2_000975F0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0010367017_2_00103670
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C36B017_2_000C36B0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0005199017_2_00051990
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000999E017_2_000999E0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0008FA1017_2_0008FA10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00059A9017_2_00059A90
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CFAF017_2_000CFAF0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000EDBB017_2_000EDBB0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00045BDE17_2_00045BDE
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E1C7017_2_000E1C70
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000A5E0017_2_000A5E00
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D1E8017_2_000D1E80
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00029B2017_2_00029B20
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0008DF7017_2_0008DF70
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000D3F9017_2_000D3F90
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeSection loaded: sfc.dllJump to behavior
                              Source: 14OWDrfahJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 0.3.14OWDrfahJ.exe.5046420.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00751F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00751F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00011F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00011F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00BA1F90
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: String function: 000CB970 appears 60 times
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: String function: 00074300 appears 55 times
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: String function: 00098F70 appears 86 times
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: String function: 00092170 appears 52 times
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: String function: 00854300 appears 55 times
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: String function: 008AB970 appears 60 times
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: String function: 00878F70 appears 86 times
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 SetPriorityClass,SetUnhandledExceptionFilter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,LoadLibraryA,LoadLibraryA,CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,GetFileAttributesA,CreateMutexA,GetLastError,Sleep,Sleep,shutdown,closesocket,WSACleanup,Sleep,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,__aulldiv,send,send,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,CreateThread,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,DeleteFileA,GetVersionExA,MessageBoxA,Sleep,shutdown,closesocket,WSACleanup,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtTerminateProcess,GetCurrentProcessId,12_2_00848DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001A470 GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,17_2_0001A470
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001A6D0 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,OpenProcess,CloseHandle,GetCurrentProcess,NtDuplicateObject,CloseHandle,CreateEventA,ResetEvent,CreateThread,WaitForSingleObject,RtlUnicodeStringToAnsiString,CloseHandle,CloseHandle,GetCurrentProcess,CloseHandle,TerminateThread,CloseHandle,CloseHandle,CloseHandle,17_2_0001A6D0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 SetPriorityClass,SetUnhandledExceptionFilter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,LoadLibraryA,LoadLibraryA,CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,GetFileAttributesA,CreateMutexA,GetLastError,Sleep,Sleep,shutdown,closesocket,WSACleanup,Sleep,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,__aulldiv,send,send,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,CreateThread,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,DeleteFileA,GetVersionExA,MessageBoxA,Sleep,shutdown,closesocket,WSACleanup,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtTerminateProcess,GetCurrentProcessId,17_2_00068DC0
                              Source: 14OWDrfahJ.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1053596 bytes, 2 files, at 0x2c +A "Ey3OF47.exe" +A "5Rp2df8.exe", ID 1788, number 1, 36 datablocks, 0x1503 compression
                              Source: Ey3OF47.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 829321 bytes, 2 files, at 0x2c +A "BC5tT98.exe" +A "4eD052Od.exe", ID 1786, number 1, 28 datablocks, 0x1503 compression
                              Source: BC5tT98.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 702168 bytes, 2 files, at 0x2c +A "2Iu7231.exe" +A "3rB05VU.exe", ID 1684, number 1, 56 datablocks, 0x1503 compression
                              Source: 4eD052Od.exe.1.drStatic PE information: No import functions for PE file found
                              Source: 14OWDrfahJ.exe, 00000000.00000003.1633376402.000000000330F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameoffDef.exe. vs 14OWDrfahJ.exe
                              Source: 14OWDrfahJ.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 14OWDrfahJ.exe
                              Source: 4eD052Od.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              Source: 4eD052Od.exe.1.drStatic PE information: Section .text
                              Source: 14OWDrfahJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: FANBooster131.lnk.12.drLNK file: ..\..\..\..\..\..\Local\Temp\FANBooster131\FANBooster131.exe
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/50@1/2
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_0075597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0075597D
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00754FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,0_2_00754FE0
                              Source: 14OWDrfahJ.exeReversingLabs: Detection: 50%
                              Source: 14OWDrfahJ.exeVirustotal: Detection: 56%
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\14OWDrfahJ.exe C:\Users\user\Desktop\14OWDrfahJ.exe
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
                              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                              Source: unknownProcess created: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                              Source: unknownProcess created: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe "C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe "C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe "C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe"
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00751F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00751F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00011F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,1_2_00011F90
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,2_2_00BA1F90
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00807FA0 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,CopyFileA,GetUserNameA,12_2_00807FA0
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_0075597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_0075597D
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 3rB05VU.exe, 0000000C.00000003.2222685763.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000000.2217497768.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000003.2218839974.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, OfficeTrackerNMP131.exe, 00000011.00000000.2237844332.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2360401589.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2885751133.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000000.2238719070.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, MaxLoonaFest131.exe, 00000013.00000000.2359759982.0000000000696000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                              Source: BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2222685763.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000000.2217497768.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000003.2218839974.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000000.2237844332.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2360401589.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2885751133.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000000.2238719070.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, MaxLoonaFest131.exe, 00000013.00000000.2359759982.0000000000696000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                              Source: 3rB05VU.exe, 0000000C.00000003.2249149800.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249217983.0000000000C09000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2248373350.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2248411636.0000000000C09000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2261504201.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2262415785.0000000003645000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2262234619.000000000100E000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2262211046.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2263383740.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2265504372.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FD0B0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,12_2_007FD0B0
                              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCommand line argument: Kernel32.dll0_2_00752BFB
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCommand line argument: Kernel32.dll1_2_00012BFB
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCommand line argument: Kernel32.dll2_2_00BA2BFB
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: /*************/12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: \config.xml12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: <config>12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: </config>12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 13112_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: ntdll.dll12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: 89.149.18.6012_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: Error12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCommand line argument: ntdll.dll12_2_00848DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: /*************/17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: \config.xml17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: <config>17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: </config>17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 13117_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: ntdll.dll17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: 89.149.18.6017_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: Error17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCommand line argument: ntdll.dll17_2_00068DC0
                              Source: 3rB05VU.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                              Source: OfficeTrackerNMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeAutomated click: OK
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeAutomated click: OK
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                              Source: 14OWDrfahJ.exeStatic file information: File size 1200128 > 1048576
                              Source: 14OWDrfahJ.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x11ca00
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: 14OWDrfahJ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                              Source: 14OWDrfahJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831) source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831nJM source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\tempAVSMIf5cNgqvav9.pdb\*.*m source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.*31/ source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb*12 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb** source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: p.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb?rH source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2D source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tion Data\A source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wextract.pdbGCTL source: 14OWDrfahJ.exe, BC5tT98.exe.1.dr, Ey3OF47.exe.0.dr
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbolsntkrnlmp.pdbwW source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2t source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2d source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb.O) source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdb%k6 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: mp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831r source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2j source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb*ta source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2b source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Datarnlmp.pdbr source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\CXJ source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdbA source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.* source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb*.* source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbAcrobat source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2G?; source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb**e\ source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831e\*.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbol source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbcrobat\DCa source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831O source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831tate~X source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\*.*@\ source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crowd Denylmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\tempAVSaeI8GhtgT29e.pdb\*.*Y source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb\*X source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbAcrobatpData\1 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\tempAVSgsImjMYlWzR3.pdb\*.*^7 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdbs\*O7 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpadnlmp.pdb\ source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\tempAVSaeI8GhtgT29e.pdb\*.**.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdbs*Te source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdbFGw source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdbe\*s\ source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58310 source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb\*.*Q source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tory source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831che source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2I source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: lmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: .pdb\*.* source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\tempAVSMIf5cNgqvav9.pdb\*.*" source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Datanlmp.pdbr* source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\ntkrnlmp.pdb*.*.*\*? source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: wextract.pdb source: 14OWDrfahJ.exe, BC5tT98.exe.1.dr, Ey3OF47.exe.0.dr
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbeegkt source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583106e source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbZ source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbDCH source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.* source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb5|7 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2tData\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AC\** source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\tempAVSgsImjMYlWzR3.pdb*.*Gp source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ata source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbbets source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbC8 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: rnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: nlmp.pdb\ source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003320000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbcrobat\DC source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbathe source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbeees source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\tempAVSEtti_jQBHy11.pdb\* source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdbcrobat source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tempAVSmnUz2tnF899j.pdb source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbat source: 3rB05VU.exe, 0000000C.00000002.2582407905.0000000003B51000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58318 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb-j source: 3rB05VU.exe, 0000000C.00000002.2581982519.0000000002F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2f source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831&! source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2ownload.error= source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2mp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbn)+4 source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583615801.000000000428E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831" source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2j source: 3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbted8bbwe source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb*elrw source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbtDi source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbobeTemp source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\l source: 3rB05VU.exe, 0000000C.00000002.2583475835.0000000004177000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2]! source: 3rB05VU.exe, 0000000C.00000002.2583008356.0000000003E96000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2582317012.0000000003A30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: 3rB05VU.exe, 0000000C.00000002.2583524935.00000000041D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\tempAVSaeI8GhtgT29e.pdb\*.* source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2B source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\SymbolsFA1AC2p.pdb}Cd source: 3rB05VU.exe, 0000000C.00000002.2582912924.0000000003E30000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdbemp source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582456554.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbe\*he-p source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831MY source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2story source: 3rB05VU.exe, 0000000C.00000002.2583112343.0000000003F70000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 3rB05VU.exe, 0000000C.00000002.2583244317.00000000040FC000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2583154801.0000000003FB2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831*.*k source: 3rB05VU.exe, 0000000C.00000002.2583706770.0000000004378000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdbes\**8 source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: 3rB05VU.exe, 0000000C.00000002.2582538713.0000000003CAA000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Files\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: 3rB05VU.exe, 0000000C.00000002.2582612223.0000000003D54000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_0075724D push ecx; ret 0_2_00757260
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_0001724D push ecx; ret 1_2_00017260
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA724D push ecx; ret 2_2_00BA7260
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000AE295 push ecx; ret 3_2_000AE2A8
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000C11AE push esp; iretd 3_2_000C11B6
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000C1256 push 0000002Fh; retf 3_2_000C1276
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000C166F push edx; ret 3_2_000C1676
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AB537 push ecx; ret 12_2_008AB54A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087B962 push ss; ret 12_2_0087B964
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CB537 push ecx; ret 17_2_000CB54A
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009B962 push ss; ret 17_2_0009B964
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_0075202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_0075202A
                              Source: 3rB05VU.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x1463bc
                              Source: OfficeTrackerNMP131.exe.12.drStatic PE information: real checksum: 0x0 should be: 0x1463bc
                              Source: 5Rp2df8.exe.0.drStatic PE information: real checksum: 0x23bfb should be: 0x34d09
                              Source: 4eD052Od.exe.1.drStatic PE information: real checksum: 0x9b25 should be: 0x9c3f
                              Source: MaxLoonaFest131.exe.12.drStatic PE information: real checksum: 0x0 should be: 0x1463bc
                              Source: FANBooster131.exe.12.drStatic PE information: real checksum: 0x0 should be: 0x1463bc
                              Source: 2Iu7231.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x7dfa6
                              Source: initial sampleStatic PE information: section name: .text entropy: 7.047633597935999
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeJump to dropped file
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeJump to dropped file
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeFile created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeFile created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeJump to dropped file
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\no
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_BR
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ru
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sv
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sw
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\te
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\uk
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ur
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\vi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_HK
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile created: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00751AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00751AE8
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00011AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,1_2_00011AE8
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,2_2_00BA1AE8

                              Boot Survival

                              barindex
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnkJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnkJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest131Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest131Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0086CFB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_0086CFB0
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Found stalling execution ending in API Sleep call
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeStalling execution: Execution stalls by calling Sleep
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeStalling execution: Execution stalls by calling Sleep
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 10476Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 10484Thread sleep count: 1806 > 30Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 10484Thread sleep count: 801 > 30Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 8004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-20924
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_0087B220 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 0087B261h12_2_0087B220
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0009B220 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 0009B261h17_2_0009B220
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 1806Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 801Jump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2450
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-2574
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-2453
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exeJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeAPI call chain: ExitProcess graph end node
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzcookies.sqliteJump to behavior
                              Source: 3rB05VU.exe, 0000000C.00000002.2582147162.0000000003350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}14
                              Source: AppLaunch.exe, 0000000B.00000002.2373060572.0000000005496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<<
                              Source: FANBooster131.exe, 00000016.00000002.2539274464.00000000010BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_53CC54CF
                              Source: FANBooster131.exe, 00000016.00000003.2538616589.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: FANBooster131.exe, 00000016.00000002.2539134852.0000000000CFB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b
                              Source: MaxLoonaFest131.exe, 00000013.00000002.2390970865.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&4
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2269824158.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2268851533.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2268035770.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2270468902.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                              Source: FANBooster131.exe, 00000016.00000003.2538616589.00000000010D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: MaxLoonaFest131.exe, 00000013.00000002.2390970865.0000000001050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}18
                              Source: 3rB05VU.exe, 0000000C.00000003.2227248325.0000000000B85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}=D
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ile5
                              Source: FANBooster131.exe, 00000016.00000002.2539274464.00000000010BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: MaxLoonaFest131.exe, 00000013.00000002.2390970865.0000000001048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
                              Source: AppLaunch.exe, 0000000B.00000002.2373196339.0000000005530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                              Source: OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: AppLaunch.exe, 0000000B.00000002.2373060572.0000000005496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareZP4PZU5LWin32_VideoControllerEEEE3RBEVideoController120060621000000.000000-00027230916display.infMSBDA_5B5GCW1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemuser-PC1280 x 1024 x 4294967296 colorsZBA461MD
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2362816797.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}HC
                              Source: 3rB05VU.exe, 0000000C.00000002.2581262150.0000000000B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                              Source: MaxLoonaFest131.exe, 00000013.00000002.2390970865.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                              Source: 3rB05VU.exe, 0000000C.00000003.2227248325.0000000000B85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}01
                              Source: FANBooster131.exe, 00000016.00000002.2539274464.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}fb+r
                              Source: MaxLoonaFest131.exe, 00000014.00000002.2451235806.0000000000E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
                              Source: OfficeTrackerNMP131.exe, 00000011.00000002.2361383370.0000000000B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00755467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00755467
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00752390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00752390
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00012390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00012390
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00BA2390
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FEA60 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,12_2_007FEA60
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FB990 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,12_2_007FB990
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00829AA0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,12_2_00829AA0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A93BA FindClose,FindFirstFileExW,GetLastError,12_2_008A93BA
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008A9440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,12_2_008A9440
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00811B60 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,12_2_00811B60
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001EA60 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,17_2_0001EA60
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_0001B990 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,17_2_0001B990
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00049AA0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,17_2_00049AA0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C93BA FindClose,FindFirstFileExW,GetLastError,17_2_000C93BA
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000C9440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,17_2_000C9440
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00031B60 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,17_2_00031B60
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_0075202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_0075202A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_0009B22E mov ecx, dword ptr fs:[00000030h]3_2_0009B22E
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000A1799 mov eax, dword ptr fs:[00000030h]3_2_000A1799
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_00081650 mov edi, dword ptr fs:[00000030h]3_2_00081650
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov ecx, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 mov eax, dword ptr fs:[00000030h]12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00810C30 mov eax, dword ptr fs:[00000030h]12_2_00810C30
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00804E10 mov eax, dword ptr fs:[00000030h]12_2_00804E10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00805450 mov eax, dword ptr fs:[00000030h]12_2_00805450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov ecx, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 mov eax, dword ptr fs:[00000030h]17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00030C30 mov eax, dword ptr fs:[00000030h]17_2_00030C30
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00024E10 mov eax, dword ptr fs:[00000030h]17_2_00024E10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00025450 mov eax, dword ptr fs:[00000030h]17_2_00025450
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_0009AAEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0009AAEB
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000A35CD GetProcessHeap,3_2_000A35CD
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000A3E97 LdrInitializeThunk,___free_lconv_mon,3_2_000A3E97
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00756F40 SetUnhandledExceptionFilter,0_2_00756F40
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00756CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00756CF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00016F40 SetUnhandledExceptionFilter,1_2_00016F40
                              Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exeCode function: 1_2_00016CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00016CF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00BA6CF0
                              Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exeCode function: 2_2_00BA6F40 SetUnhandledExceptionFilter,2_2_00BA6F40
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_0009232A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0009232A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_0009AAEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0009AAEB
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_00091DAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00091DAF
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_00091F14 SetUnhandledExceptionFilter,3_2_00091F14
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00848DC0 SetPriorityClass,SetUnhandledExceptionFilter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,LoadLibraryA,LoadLibraryA,CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,GetFileAttributesA,CreateMutexA,GetLastError,Sleep,Sleep,shutdown,closesocket,WSACleanup,Sleep,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,__aulldiv,send,send,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,CreateThread,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,DeleteFileA,GetVersionExA,MessageBoxA,Sleep,shutdown,closesocket,WSACleanup,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtTerminateProcess,GetCurrentProcessId,12_2_00848DC0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008C62A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_008C62A4
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AB764 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_008AB764
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008AB8F7 SetUnhandledExceptionFilter,12_2_008AB8F7
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008ABB0D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_008ABB0D
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00068DC0 SetPriorityClass,SetUnhandledExceptionFilter,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,LoadLibraryA,LoadLibraryA,CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,GetFileAttributesA,CreateMutexA,GetLastError,Sleep,Sleep,shutdown,closesocket,WSACleanup,Sleep,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,__aulldiv,send,send,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,CreateThread,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,DeleteFileA,GetVersionExA,MessageBoxA,Sleep,shutdown,closesocket,WSACleanup,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtTerminateProcess,GetCurrentProcessId,17_2_00068DC0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000E62A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000E62A4
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CB764 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000CB764
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CB8F7 SetUnhandledExceptionFilter,17_2_000CB8F7
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_000CBB0D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_000CBB0D

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Allocates memory in foreign processes
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and writeJump to behavior
                              Injects a PE file into a foreign processes
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
                              Contains functionality to inject code into remote processes
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_000816B0 CreateProcessW,VirtualAllocEx,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,3_2_000816B0
                              Writes to foreign memory regions
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 42E000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43A000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 506D008Jump to behavior
                              Contains functionality to inject threads in other processes
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_00809920 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,12_2_00809920
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: 17_2_00029920 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,17_2_00029920
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_007517EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_007517EE
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetLocaleInfoW,3_2_000A3376
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,3_2_000A5605
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: EnumSystemLocalesW,3_2_000A58A7
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: EnumSystemLocalesW,3_2_000A58F2
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: EnumSystemLocalesW,3_2_000A598D
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_000A5A18
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetLocaleInfoW,3_2_000A5C6B
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_000A5D94
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: EnumSystemLocalesW,3_2_000A2E4D
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetLocaleInfoW,3_2_000A5E9A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_000A5F69
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,12_2_007FD0B0
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,12_2_008E207B
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_008E21A4
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,12_2_008E22AA
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_008E2380
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: EnumSystemLocalesW,12_2_008D8C9A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,12_2_008D921D
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoEx,FormatMessageA,12_2_008A9704
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,12_2_008E1A0B
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: EnumSystemLocalesW,12_2_008E1CB7
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,12_2_008E1C10
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: EnumSystemLocalesW,12_2_008E1D9D
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: EnumSystemLocalesW,12_2_008E1D02
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_008E1E28
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,17_2_0001D0B0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,17_2_0010207B
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_001021A4
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,17_2_001022AA
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00102380
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: EnumSystemLocalesW,17_2_000F8C9A
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,17_2_000F921D
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoEx,FormatMessageA,17_2_000C9704
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,17_2_00101A0B
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,17_2_00101C10
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: EnumSystemLocalesW,17_2_00101CB7
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: EnumSystemLocalesW,17_2_00101D02
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: EnumSystemLocalesW,17_2_00101D9D
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_00101E28
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exeCode function: 3_2_00091F81 cpuid 3_2_00091F81
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00757155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00757155
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_008DAC6A GetTimeZoneInformation,12_2_008DAC6A
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeCode function: 12_2_007FD0B0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,12_2_007FD0B0
                              Source: C:\Users\user\Desktop\14OWDrfahJ.exeCode function: 0_2_00752BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,0_2_00752BFB
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                              Source: 14OWDrfahJ.exe, 00000000.00000002.2647653855.00000000031B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hJ.exe

                              Stealing of Sensitive Information

                              barindex
                              Yara detected RedLine Stealer
                              Source: Yara matchFile source: dump.pcap, type: PCAP
                              Source: Yara matchFile source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.bf000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.bf000.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.14OWDrfahJ.exe.5046420.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000B.00000002.2372767482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.1633263282.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7984, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, type: DROPPED
                              Yara detected RisePro Stealer
                              Source: Yara matchFile source: 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 3rB05VU.exe PID: 8008, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: OfficeTrackerNMP131.exe PID: 8156, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: OfficeTrackerNMP131.exe PID: 8172, type: MEMORYSTR
                              Yara detected SmokeLoader
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe, type: DROPPED
                              Yara detected PrivateLoader
                              Source: Yara matchFile source: 17.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.2.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.0.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.0.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.2.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, type: DROPPED
                              Tries to steal Mail credentials (via file / registry access)
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Cache
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\databases
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\Extension State
                              Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exeFile opened: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Files\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                              Source: Yara matchFile source: 0000000C.00000002.2581262150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7984, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 3rB05VU.exe PID: 8008, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Yara detected RedLine Stealer
                              Source: Yara matchFile source: dump.pcap, type: PCAP
                              Source: Yara matchFile source: 11.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.bf000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.bf000.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.3.14OWDrfahJ.exe.5046420.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.2Iu7231.exe.80000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000B.00000002.2372767482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.1633263282.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7984, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, type: DROPPED
                              Yara detected RisePro Stealer
                              Source: Yara matchFile source: 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 3rB05VU.exe PID: 8008, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: OfficeTrackerNMP131.exe PID: 8156, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: OfficeTrackerNMP131.exe PID: 8172, type: MEMORYSTR
                              Yara detected SmokeLoader
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe, type: DROPPED
                              Yara detected PrivateLoader
                              Source: Yara matchFile source: 17.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.2.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.0.3rB05VU.exe.7f0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.0.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 22.2.FANBooster131.exe.830000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 20.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.MaxLoonaFest131.exe.590000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.3.BC5tT98.exe.4aa2540.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.0.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.2.OfficeTrackerNMP131.exe.10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                              Valid Accounts221
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		1
                              Disable or Modify Tools                              		1
                              OS Credential Dumping                              		12
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		Exfiltration Over Other Network Medium2
                              Ingress Tool Transfer                              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                              System Shutdown/Reboot                              		Acquire InfrastructureGather Victim Identity Information
                              Default Accounts13
                              Native API                              		1
                              Browser Extensions                              		1
                              Access Token Manipulation                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory1
                              Account Discovery                              		Remote Desktop Protocol1
                              Browser Session Hijacking                              		Exfiltration Over Bluetooth21
                              Encrypted Channel                              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                              Domain Accounts3
                              Command and Scripting Interpreter                              		1
                              Scheduled Task/Job                              		511
                              Process Injection                              		4
                              Obfuscated Files or Information                              		Security Account Manager3
                              File and Directory Discovery                              		SMB/Windows Admin Shares1
                              Data from Local System                              		Automated Exfiltration1
                              Non-Standard Port                              		Data Encrypted for ImpactDNS ServerEmail Addresses
                              Local Accounts1
                              Scheduled Task/Job                              		21
                              Registry Run Keys / Startup Folder                              		1
                              Scheduled Task/Job                              		2
                              Software Packing                              		NTDS148
                              System Information Discovery                              		Distributed Component Object Model1
                              Screen Capture                              		Traffic Duplication2
                              Non-Application Layer Protocol                              		Data DestructionVirtual Private ServerEmployee Names
                              Cloud AccountsLaunchdNetwork Logon Script21
                              Registry Run Keys / Startup Folder                              		1
                              DLL Side-Loading                              		LSA Secrets351
                              Security Software Discovery                              		SSH1
                              Email Collection                              		Scheduled Transfer113
                              Application Layer Protocol                              		Data Encrypted for ImpactServerGather Victim Network Information
                              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Masquerading                              		Cached Domain Credentials231
                              Virtualization/Sandbox Evasion                              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                              External Remote ServicesSystemd TimersStartup ItemsStartup Items231
                              Virtualization/Sandbox Evasion                              		DCSync2
                              Process Discovery                              		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
                              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Access Token Manipulation                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
                              Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt511
                              Process Injection                              		/etc/passwd and /etc/shadow1
                              System Owner/User Discovery                              		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
                              Supply Chain CompromisePowerShellCronCron1
                              Rundll32                              		Network Sniffing1
                              System Network Configuration Discovery                              		Shared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345577 Sample: 14OWDrfahJ.exe Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 67 ipinfo.io 2->67 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 15 other signatures 2->79 11 14OWDrfahJ.exe 1 4 2->11         started        14 OfficeTrackerNMP131.exe 2->14         started        17 OfficeTrackerNMP131.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 57 C:\Users\user\AppData\Local\...y3OF47.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\...\5Rp2df8.exe, PE32 11->59 dropped 21 Ey3OF47.exe 1 4 11->21         started        99 Multi AV Scanner detection for dropped file 14->99 101 Tries to steal Mail credentials (via file / registry access) 14->101 103 Machine Learning detection for dropped file 14->103 107 3 other signatures 14->107 105 Tries to harvest and steal browser information (history, passwords, etc) 17->105 signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\BC5tT98.exe, PE32 21->49 dropped 51 C:\Users\user\AppData\Local\...\4eD052Od.exe, PE32 21->51 dropped 81 Antivirus detection for dropped file 21->81 83 Multi AV Scanner detection for dropped file 21->83 85 Machine Learning detection for dropped file 21->85 25 BC5tT98.exe 1 4 21->25         started        signatures9 process10 file11 53 C:\Users\user\AppData\Local\...\3rB05VU.exe, PE32 25->53 dropped 55 C:\Users\user\AppData\Local\...\2Iu7231.exe, PE32 25->55 dropped 93 Antivirus detection for dropped file 25->93 95 Multi AV Scanner detection for dropped file 25->95 97 Machine Learning detection for dropped file 25->97 29 3rB05VU.exe 1 503 25->29         started        34 2Iu7231.exe 1 25->34         started        signatures12 process13 dnsIp14 69 194.49.94.152, 19053, 49736, 49737 EQUEST-ASNL unknown 29->69 71 ipinfo.io 34.117.59.81, 443, 49738, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->71 61 C:\Users\user\AppData\...\FANBooster131.exe, PE32 29->61 dropped 63 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 29->63 dropped 65 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 29->65 dropped 109 Multi AV Scanner detection for dropped file 29->109 111 Tries to steal Mail credentials (via file / registry access) 29->111 113 Machine Learning detection for dropped file 29->113 121 4 other signatures 29->121 36 schtasks.exe 29->36         started        38 schtasks.exe 29->38         started        115 Antivirus detection for dropped file 34->115 117 Contains functionality to inject code into remote processes 34->117 119 Writes to foreign memory regions 34->119 123 2 other signatures 34->123 40 AppLaunch.exe 8 4 34->40         started        43 conhost.exe 34->43         started        file15 signatures16 process17 signatures18 45 conhost.exe 36->45         started        47 conhost.exe 38->47         started        87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->89 91 Tries to harvest and steal browser information (history, passwords, etc) 40->91 process19

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              14OWDrfahJ.exe50%ReversingLabsWin32.Trojan.SmokeLoader
                              14OWDrfahJ.exe57%VirustotalBrowse
                              14OWDrfahJ.exe100%AviraTR/Crypt.XPACK.Gen
                              14OWDrfahJ.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe100%AviraHEUR/AGEN.1305142
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe100%AviraTR/Crypt.XPACK.Gen
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe100%AviraHEUR/AGEN.1323769
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe100%AviraTR/Crypt.XPACK.Gen
                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe100%AviraHEUR/AGEN.1305142
                              C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe100%Joe Sandbox ML
                              C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe100%Joe Sandbox ML
                              C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe65%VirustotalBrowse
                              C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe65%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe65%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe67%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe54%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe62%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe56%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe35%VirustotalBrowse
                              C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe65%VirustotalBrowse

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://api.ip.sb/ip0%URL Reputationsafe
                              http://tempuri.org/0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                              https://support.microsoft..0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                              http://tempuri.org/1%VirustotalBrowse
                              http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                              http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                              https://support.microsoft..0%VirustotalBrowse
                              http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                              194.49.94.152:19053100%Avira URL Cloudmalware
                              http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id24Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                              194.49.94.152:1905317%VirustotalBrowse
                              http://tempuri.org/Entity/Id5Response2%VirustotalBrowse
                              http://tempuri.org/D0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id13Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id12ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id7ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id8Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id4ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id22Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id10Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id22ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id13Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id16ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id19ResponseD0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id4ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id12ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id7ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id18Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id3Response0%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id18Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id16ResponseD0%VirustotalBrowse
                              http://tempuri.org/Entity/Id22ResponseD2%VirustotalBrowse
                              http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                              http://tempuri.org/D1%VirustotalBrowse
                              http://tempuri.org/Entity/Id22Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                              http://tempuri.org/Entity/Id19ResponseD1%VirustotalBrowse
                              http://tempuri.org/Entity/Id3Response2%VirustotalBrowse
                              http://tempuri.org/Entity/Id91%VirustotalBrowse
                              http://tempuri.org/Entity/Id51%VirustotalBrowse
                              http://tempuri.org/Entity/Id81%VirustotalBrowse

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ipinfo.io
                              		34.117.59.81
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                194.49.94.152:19053true
                                • 17%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabAppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2263669444.0000000003888000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000012.00000003.2267666589.0000000003888000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwWeb Data.18.dr, 3b6N2Xdh3CYwWeb Data.12.dr, D87fZN3R3jFeWeb Data.18.dr, D87fZN3R3jFeWeb Data.12.drfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id23ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 2%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 2%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 4%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressBC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2222685763.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000000.2217497768.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmp, 3rB05VU.exe, 0000000C.00000003.2218839974.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000000.2237844332.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000011.00000002.2360401589.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000002.2885751133.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, OfficeTrackerNMP131.exe, 00000012.00000000.2238719070.0000000000116000.00000002.00000001.01000000.0000000C.sdmp, MaxLoonaFest131.exe, 00000013.00000000.2359759982.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000013.00000002.2390326126.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000014.00000000.2442392337.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, MaxLoonaFest131.exe, 00000014.00000002.2450878543.0000000000696000.00000002.00000001.01000000.0000000E.sdmp, FANBooster131.exe, 00000016.00000002.2538983831.0000000000936000.00000002.00000001.01000000.0000000F.sdmp, FANBooster131.exe, 00000016.00000000.2530405181.0000000000936000.00000002.00000001.01000000.0000000F.sdmp, MaxLoonaFest131.exe.12.dr, FANBooster131.exe.12.dr, OfficeTrackerNMP131.exe.12.dr, 3rB05VU.exe.2.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id6ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 1%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://support.microsoft..OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id13ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 1%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • 2%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ipAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id1ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t.me/RiseProSUPPORTFANBooster131.exe, 00000016.00000002.2539274464.000000000109E000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.12.dr, i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip.17.dr, 9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip.12.dr, passwords.txt.17.drfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 2%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.ecosia.org/newtab/AppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id21ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • 1%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ipinfo.io/OfficeTrackerNMP131.exe, 00000012.00000002.2886061884.0000000000F27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id10ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • 1%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesIWPfiAXUTJTSHistory.18.dr, 02zdBXl47cvzHistory.12.dr, IWPfiAXUTJTSHistory.12.dr, 02zdBXl47cvzHistory.18.drfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • 2%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 2%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 2%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/DAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0BC5tT98.exe, 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, 2Iu7231.exe.2.drfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id13ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • 2%, Virustotal, Browse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id12ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • 1%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://t.me/Ris3rB05VU.exe, 0000000C.00000002.2583749077.00000000043E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id7ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoAppLaunch.exe, 0000000B.00000002.2380103032.0000000008E86000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FBC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009163000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F13000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007464000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090BC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.00000000090D6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000798D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008EA1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009147000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.000000000902D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000009049000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000078F7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000074C6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008F2E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.000000000792F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2380103032.0000000008FA0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007A23000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.00000000079C5000.00000004.00000800.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2249463056.000000000335A000.00000004.00000020.00020000.00000000.sdmp, 3rB05VU.exe, 0000000C.00000003.2251488550.000000000336B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id4ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • 1%, Virustotal, Browse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2002/12/policyAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id22ResponseAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • 2%, Virustotal, Browse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://tempuri.org/Entity/Id22ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • 2%, Virustotal, Browse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://tempuri.org/Entity/Id16ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/IssueAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://tempuri.org/Entity/Id19ResponseDAppLaunch.exe, 0000000B.00000002.2373910611.0000000007886000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          • 1%, Virustotal, Browse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/spnegoAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://tempuri.org/Entity/Id18ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              • 2%, Virustotal, Browse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsdAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id3ResponseAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                • 2%, Virustotal, Browse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/soap/actor/nextAppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/Entity/Id9AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      • 1%, Virustotal, Browse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://ac.ecosia.org/autocompleOfficeTrackerNMP131.exe, 00000011.00000003.2283329805.0000000003DC9000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283612605.0000000003DBA000.00000004.00000020.00020000.00000000.sdmp, OfficeTrackerNMP131.exe, 00000011.00000003.2283305020.0000000003DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/Entity/Id8AppLaunch.exe, 0000000B.00000002.2373910611.00000000073BB000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://tempuri.org/Entity/Id5AppLaunch.exe, 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        • 1%, Virustotal, Browse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        194.49.94.152
                                                                                                                                                                        		unknownunknown
                                                                                                                                                                        		42707EQUEST-ASNLtrue
                                                                                                                                                                        34.117.59.81
                                                                                                                                                                        		ipinfo.ioUnited States
                                                                                                                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox Version:38.0.0 Ammolite
                                                                                                                                                                        Analysis ID:1345577
                                                                                                                                                                        Start date and time:2023-11-21 04:16:05 +01:00
                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 10m 40s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:23
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample file name:14OWDrfahJ.exe
                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                        Original Sample Name:725dbfed269993cb9944c2e1f7bde652.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@26/50@1/2
                                                                                                                                                                        EGA Information:
                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 95%
                                                                                                                                                                        • Number of executed functions: 179
                                                                                                                                                                        • Number of non-executed functions: 138
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        03:17:52Task SchedulerRun new task: OfficeTrackerNMP131 HR path: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                        03:17:52Task SchedulerRun new task: OfficeTrackerNMP131 LG path: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                        03:17:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest131 C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
                                                                                                                                                                        03:18:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest131 C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
                                                                                                                                                                        03:18:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
                                                                                                                                                                        04:18:04API Interceptor15x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        194.49.94.152KGTr0pyiHy.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                          VvJtPX1Ju6.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                            dftpzJ6W8e.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                              file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                  file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                    file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                      file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                          lW0QDt6F5B.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                            nncbJPkOMX.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                              Wuaubi10yf.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                  file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                    file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                      file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                        file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                          file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                            file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                              file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                34.117.59.81SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/ip
                                                                                                                                                                                                                SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/ip
                                                                                                                                                                                                                IP-Grabber.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/ip
                                                                                                                                                                                                                BadUsb.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/ip
                                                                                                                                                                                                                ZmYfQBiw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/
                                                                                                                                                                                                                jmdCh1Z3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/
                                                                                                                                                                                                                wAFWKlU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/
                                                                                                                                                                                                                41zkbPOMpg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/geo
                                                                                                                                                                                                                41zkbPOMpg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/geo
                                                                                                                                                                                                                bYpCn0v8.posh.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                Bon8RXwP7S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                CCiocj0tkz.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                7c.exeGet hashmaliciousAsyncRAT, Blank Grabber, Clipboard Hijacker, EICAR, StormKitty, ToxicEye, WorldWind StealerBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                http://34.117.59.81Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81/
                                                                                                                                                                                                                5b1d7866.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • ipinfo.io/ip
                                                                                                                                                                                                                SecuriteInfo.com.Variant.Tedy.197311.29167.32662.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                iTop Easy Desktop_Setup_IU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/
                                                                                                                                                                                                                sample.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                04451999.exe.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • ipinfo.io/json
                                                                                                                                                                                                                o5QR1PuuAx.exeGet hashmaliciousOrcusBrowse
                                                                                                                                                                                                                • ipinfo.io/ip

                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                ipinfo.ioKGTr0pyiHy.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                VvJtPX1Ju6.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                dftpzJ6W8e.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                lW0QDt6F5B.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                nncbJPkOMX.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                Wuaubi10yf.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                sil5l1lROD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81

                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                EQUEST-ASNLKGTr0pyiHy.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                VvJtPX1Ju6.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                dftpzJ6W8e.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousGlupteba, VidarBrowse
                                                                                                                                                                                                                • 194.49.94.85
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousBabuk, Clipboard Hijacker, CryptOne, Djvu, Glupteba, RedLine, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.77
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousCryptOne, Djvu, Glupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                                                                                                • 194.49.94.77
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 194.49.94.142
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                file.exeGet hashmaliciousCryptOne, Djvu, Glupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                                                                                                • 194.49.94.77
                                                                                                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 194.49.94.80
                                                                                                                                                                                                                lW0QDt6F5B.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                nncbJPkOMX.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                Wuaubi10yf.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                1DI50gCNGQ.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                                                                                                • 194.49.94.77
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 194.49.94.152
                                                                                                                                                                                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGKGTr0pyiHy.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                VvJtPX1Ju6.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                dftpzJ6W8e.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                https://s3waqgjv83b.larksuite.com/docx/U9qhdPDPIoyGGvxrwcPuMm4osRf?from=from_copylinkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.97.41
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                CourierRequest_signed.apkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.60.144
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                                                                                • 34.67.9.172
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                lW0QDt6F5B.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                nncbJPkOMX.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                Wuaubi10yf.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                sil5l1lROD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                Fax-399383-3003-30393.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.177.207
                                                                                                                                                                                                                Fax-399383-3003-30393.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.177.207

                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1KGTr0pyiHy.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                VvJtPX1Ju6.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                dftpzJ6W8e.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousBabuk, Clipboard Hijacker, CryptOne, Djvu, Glupteba, RedLine, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousCryptOne, Djvu, Glupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                NEWREST_Procurement.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                file.exeGet hashmaliciousCryptOne, Djvu, Glupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                DOCUMENTOVIEW_FACTURAEXPRESS_ESCANEAD_PDFN3D0L3BG5D.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                DOCUMENTOVIEW_FACTURAEXPRESS_ESCANEAD_PDFN3D0L3BG5D.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                lW0QDt6F5B.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                IMG123101.jpg.js.DocxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 34.117.59.81
                                                                                                                                                                                                                nncbJPkOMX.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                • 34.117.59.81

                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1322267
                                                                                                                                                                                                                Entropy (8bit):6.666192479005095
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
                                                                                                                                                                                                                MD5:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                SHA1:02E191C58D6D9B40779FDE325E04DAF2BFC55E70
                                                                                                                                                                                                                SHA-256:BE74C33F2F6CBD28A1CE43D6597ED5CD5F0052EE27FD11EE2F91514CF1400118
                                                                                                                                                                                                                SHA-512:C39DC8508F862F30D393F4C81B4CB16C5F8A673600F1821F3046D3EC2BE720BBAA5435E7A09B717760E5B41AB6EC75B830261545802AC08E104E47FBA571DEA5
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........|............e......e.4..,`.....e.....a>.....a.....a......a.....e.....e.....e..........>a....>a<......T....>a.....Rich...........PE..L....VRe...............".L..........K........`....@..........................p............@.................................dz..................................0.......8...........................H...@............`...............................text...xJ.......L.................. ..`.rdata.../...`...0...P..............@..@.data....5......."..................@....rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1322267
                                                                                                                                                                                                                Entropy (8bit):6.666192479005095
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
                                                                                                                                                                                                                MD5:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                SHA1:02E191C58D6D9B40779FDE325E04DAF2BFC55E70
                                                                                                                                                                                                                SHA-256:BE74C33F2F6CBD28A1CE43D6597ED5CD5F0052EE27FD11EE2F91514CF1400118
                                                                                                                                                                                                                SHA-512:C39DC8508F862F30D393F4C81B4CB16C5F8A673600F1821F3046D3EC2BE720BBAA5435E7A09B717760E5B41AB6EC75B830261545802AC08E104E47FBA571DEA5
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........|............e......e.4..,`.....e.....a>.....a.....a......a.....e.....e.....e..........>a....>a<......T....>a.....Rich...........PE..L....VRe...............".L..........K........`....@..........................p............@.................................dz..................................0.......8...........................H...@............`...............................text...xJ.......L.................. ..`.rdata.../...`...0...P..............@..@.data....5......."..................@....rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):3094
                                                                                                                                                                                                                Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                MD5:2A56468A7C0F324A42EA599BF0511FAF
                                                                                                                                                                                                                SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                                                                                                                                                                                                                SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                                                                                                                                                                                                                SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5519
                                                                                                                                                                                                                Entropy (8bit):7.897524359443915
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:pWGzqeAoMq+YK0KF8cAJiI2i+u8qo87RGqUHa5Sr1zeE4WBFr:dqASpF8wFzqoc5U65BWBFr
                                                                                                                                                                                                                MD5:80807121E3E92CEE6C36DF600CAD1E69
                                                                                                                                                                                                                SHA1:0D11B7895BA153C4CA9A8E6441F92B7F69AAB939
                                                                                                                                                                                                                SHA-256:3CA85418D7F09866CD35C749B8A5A490F6496CD9E695E69E159065EC618C02A7
                                                                                                                                                                                                                SHA-512:773384BBE7C9241A46F98F6160BB4925635400019EA63EF82EB2FE5AF13E1D359C7486060D10E9D2F130C6836B126588204893C67C701368C3A9554AC0A08DC0
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:PK........L"uW................Cookies\..PK........L"uWQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1322267
                                                                                                                                                                                                                Entropy (8bit):6.666192479005095
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
                                                                                                                                                                                                                MD5:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                SHA1:02E191C58D6D9B40779FDE325E04DAF2BFC55E70
                                                                                                                                                                                                                SHA-256:BE74C33F2F6CBD28A1CE43D6597ED5CD5F0052EE27FD11EE2F91514CF1400118
                                                                                                                                                                                                                SHA-512:C39DC8508F862F30D393F4C81B4CB16C5F8A673600F1821F3046D3EC2BE720BBAA5435E7A09B717760E5B41AB6EC75B830261545802AC08E104E47FBA571DEA5
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........|............e......e.4..,`.....e.....a>.....a.....a......a.....e.....e.....e..........>a....>a<......T....>a.....Rich...........PE..L....VRe...............".L..........K........`....@..........................p............@.................................dz..................................0.......8...........................H...@............`...............................text...xJ.......L.................. ..`.rdata.../...`...0...P..............@..@.data....5......."..................@....rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\Desktop\14OWDrfahJ.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):194329
                                                                                                                                                                                                                Entropy (8bit):7.228014101885434
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:3072:jDKW1LgppLRHMY0TBfJvjcTp5X2QyRk9Bo7KWH2yHsGe:jDKW1Lgbdl0TBBvjc/EIBr42f
                                                                                                                                                                                                                MD5:D46DFAA1A96F696178104F95A293D90B
                                                                                                                                                                                                                SHA1:909E21DF58F6874B39EF1D9056AE1376473DF3DB
                                                                                                                                                                                                                SHA-256:89B9C4C48D5ADC78C8A68F942F29C5910DDFF28E93396637395259FB43BB9FFB
                                                                                                                                                                                                                SHA-512:F414CA192BEF9BAFE1AA6DC03B9689674E741288FB402DF30236053648D45BB6E13E2A0D06ED12669DA490254F8D646A48111AECC4CF38A45C9997467817C79B
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, Author: Joe Security
                                                                                                                                                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe, Author: ditekSHen
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 67%, Browse
                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..................$e....PE..L...t..P..........#..........Z....../.............@..........................@.......;..........................................P....`..T...............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc...T....`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\Desktop\14OWDrfahJ.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):975872
                                                                                                                                                                                                                Entropy (8bit):7.932567220315467
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:7yzQY6ImYCjOE00BoBXInozrpEZ3mbfxCqyXdHQO:uwImV62+BYozrpEi8qua
                                                                                                                                                                                                                MD5:A8089B11ACB5AEB2755B87605CC0365C
                                                                                                                                                                                                                SHA1:C035EE12225776F021D16E122292F141DEDD624C
                                                                                                                                                                                                                SHA-256:375A34A774523A7C660178999A78DA0957104AC315B0F2F6D2400AD5725361E5
                                                                                                                                                                                                                SHA-512:5776D2393D01E7D23695F3D7943172734F78387466D15141958A715AB8B7F76C1918813F60456C43106A3CAD015441AD38A3BC1EF7DD01C495DA165FEF0323BE
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 54%, Browse
                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d...|......`j............@..........................0......Rm....@...... .......................................]................... ..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc....`.......^...|..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):38170
                                                                                                                                                                                                                Entropy (8bit):6.966236649868699
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
                                                                                                                                                                                                                MD5:295C91C8DFB843E25805DDD1DB402BB3
                                                                                                                                                                                                                SHA1:1C97D7AFD1447A3AAD2C1403FC366755F610D8EA
                                                                                                                                                                                                                SHA-256:CCE2538CD7137A0BDD838C7D8483E0FEFB98E3B9ABE26C8E7469ADC27D57FD10
                                                                                                                                                                                                                SHA-512:B514BD0485A053E656BF4A1978C616C7DDDB358020D771AF57FC6F3F5B55C903C01C87D3D9FFE01D49DDBDE915B07F041458FC374DD3E9D79DEC1B84378D9009
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 62%, Browse
                                                                                                                                                                                                                Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L.....Ue...............H.............2............@.................................%................................................................................................................................................................text............................... ...................................................................................................=?...C...?...*.*r..9CL6(k..El..?.?e..v%.q.v.. .[..6......"m...B...Z.U...P(.......l....n.J.?..W.y.w....^.E.g...o.3...R.+.!>I.lU..C.9K...........*.Yb..l{.F....ve...}.i.L..%)l.......d.{....Nv.6.}..9..]....P9....}.....{.V.(dE....3.0..Y......R...-kx...Q'b7.!..z"n..&1...J...e.......GS.yfs;...&~...g.R.....0.;].......`.........iVV)...sA.^.h...5.,.$...`z..u.4....Qx........U.8.....[......E..*..C:.m....x.?...7.~....7.....,.:|......h(.W ...m......[6.r....yK.p.D

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):848896
                                                                                                                                                                                                                Entropy (8bit):7.916586155218512
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:4ypiqqjCyPW8UoiXqnozrHHJ3muNxCWyMdCW:/IGSppi6ozrHHJ8Wl
                                                                                                                                                                                                                MD5:CC54031BCC9F48998C7AE467ACF73422
                                                                                                                                                                                                                SHA1:C3385C4E8512ECB6DBEC0B9A2AD8187BFF4E0F9C
                                                                                                                                                                                                                SHA-256:0ED1909BF61ABCC177900AFEB621C9F4A367141DA2047BCA0D52044BDEF5D729
                                                                                                                                                                                                                SHA-512:A215E90EE43E8D55A4E410F9723D42A900ACE1518F3F51FD3686C330477C5833CF2287497D645FCC9E01F73ADD04359D98456B40DCCDF2E84A4E027ADF05492C
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 56%, Browse
                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................@............@...... ......................................`l...................0..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc....p.......n...|..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
                                                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):505120
                                                                                                                                                                                                                Entropy (8bit):6.737133406380524
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:6144:v3nNKoPE2gZB/6fZOE0EUAOtwdl7HaOBq3Nu13Cdq66666q18x:fnNTPE2CEgEdl76nEds/x
                                                                                                                                                                                                                MD5:EFBF47DBDF08AC3A28C0236D9C0A4C27
                                                                                                                                                                                                                SHA1:69AAABF9EA57E16104A3EB5F33D0CE15716D555A
                                                                                                                                                                                                                SHA-256:CF3DBE71579BC48E661CF9D5B59C7F14EF72AC70CAE6B8EDCFE741E19B44F8CC
                                                                                                                                                                                                                SHA-512:AD54945FA67FF90CF84CECDA717ED1E9A84D8AA00037E7A3FE1B2A77E864CF74FC3DDFDEBA1967C0BCB429CC8DB27F473CB763609A746B8069C0B33E626A891C
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 35%, Browse
                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."..$P..."..$P..\"..$P..."..$P..."..."..{"..^.."..^..."..^..."..."..."..6^..."..Rich."..........PE..L...m.[e..............."............S.............@.......................................@.................................T...P....................... ........'.....................................@............................................text............................... ..`.rdata..............................@..@.data..............................@....reloc...'.......(...r..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1322267
                                                                                                                                                                                                                Entropy (8bit):6.666192479005095
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
                                                                                                                                                                                                                MD5:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                SHA1:02E191C58D6D9B40779FDE325E04DAF2BFC55E70
                                                                                                                                                                                                                SHA-256:BE74C33F2F6CBD28A1CE43D6597ED5CD5F0052EE27FD11EE2F91514CF1400118
                                                                                                                                                                                                                SHA-512:C39DC8508F862F30D393F4C81B4CB16C5F8A673600F1821F3046D3EC2BE720BBAA5435E7A09B717760E5B41AB6EC75B830261545802AC08E104E47FBA571DEA5
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........|............e......e.4..,`.....e.....a>.....a.....a......a.....e.....e.....e..........>a....>a<......T....>a.....Rich...........PE..L....VRe...............".L..........K........`....@..........................p............@.................................dz..................................0.......8...........................H...@............`...............................text...xJ.......L.................. ..`.rdata.../...`...0...P..............@..@.data....5......."..................@....rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5517
                                                                                                                                                                                                                Entropy (8bit):7.899928372355382
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+uF81rXtQBoYx0iehfahx1Up+cBFV:NqASpF8wFm81r+ox5hChx1UpzBFV
                                                                                                                                                                                                                MD5:7F7BC9415457A480F57AAE9506C2F244
                                                                                                                                                                                                                SHA1:CAADF33B5FB6228456E88469D228B9006FCCAAE3
                                                                                                                                                                                                                SHA-256:24F74D39E56C5BF82A9C29D28606C38EFBCCE9A84845BA478B575D82BA15C43F
                                                                                                                                                                                                                SHA-512:48586915B212254399BD30597A9507BC837F840CB086EA20C9744CF9A4FAD79D82C506E8F3DE5AEC4A9E708C82D8449B5BEA34F12CCD7D26D6AEC79029B822E2
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:PK........@"uW................Cookies\..PK........@"uWQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\rise131M9Asphalt.tmp

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):13
                                                                                                                                                                                                                Entropy (8bit):2.7773627950641693
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:3:L/+Qt:D+Q
                                                                                                                                                                                                                MD5:11EE83C5E89B7A29C0155B9E309152ED
                                                                                                                                                                                                                SHA1:C3604D6770D56C25DAFD8A0A526D51D8FB69B0FD
                                                                                                                                                                                                                SHA-256:B2B004404C7C4969B418C8AADBD00B273DFA658989F13BDF44D88E78F9CE8BC2
                                                                                                                                                                                                                SHA-512:A1A7402A99DF7D4AC271D571312634CA27FE52FABAB38DB32D300764E2E3B0DF5A49CC2303BB3899E60AC83F06071C4F71BC7010BF699175BAC9B7C25DB63DB1
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:1700542535615

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\2jQJv37iJ0lzHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\8ghN89CsjOW1Login Data For Account

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\Ei8DrAmaYu9KLogin Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\IWPfiAXUTJTSHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\JX0OQi4nZtiqWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\QdX9ITDLyCRBLogin Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\UPG2LoPXwc7OHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\o0qT3dWYBP7ZWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\oOPEmFmu_xsJCookies

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\2jQJv37iJ0lzHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\8ghN89CsjOW1Login Data For Account

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\Ei8DrAmaYu9KLogin Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\IWPfiAXUTJTSHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):159744
                                                                                                                                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\JX0OQi4nZtiqWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\QdX9ITDLyCRBLogin Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\UPG2LoPXwc7OHistory

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):126976
                                                                                                                                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\o0qT3dWYBP7ZWeb Data

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\oOPEmFmu_xsJCookies

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):6085
                                                                                                                                                                                                                Entropy (8bit):6.038274200863744
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                                                                MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                                                                SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                                                                SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                                                                SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\information.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5722
                                                                                                                                                                                                                Entropy (8bit):5.385073733001579
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:twlQwbf9fJHBd8pvBUfioHmobapzOI4+68Dae5apYBRw/f0iV2z5JZx8kaNKs7sJ:t6RKgioGobaoI4+68Dae5apYBRw/f0ia
                                                                                                                                                                                                                MD5:EA9FBE4AFD11E6387A6017ADBC8FB714
                                                                                                                                                                                                                SHA1:7C6D84B8392743D89811B75D7057181D891DA4F1
                                                                                                                                                                                                                SHA-256:43E65FCFFB5A878CB9377CE942B853442FB197C4345B52E5F6B0922B541EBA3F
                                                                                                                                                                                                                SHA-512:42EC3E98B393DB00C289092D7C625988EC53D958FD54EF7B1A9D226EE1BE4ED67310DFE48160D091FD76F907F2EDC451B4239A80A69EA7444DD2893FA860C41B
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:Version: 1.0..Date: Tue Nov 21 04:17:55 2023.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06.GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}.HWID: bae8dddaaca209009b2a630770ff8b0b..Path: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe.Work Dir: C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e..IP: 89.149.18.60.Location: US, Washington.Windows: Windows 10 Pro [x64].Computer Name: 367706.User Name: user.Display Resolution: 1280x1024.Display Language: en-CH.Keyboard Languages: English (United Kingdom) / English (United Kingdom).Local Time: 21/11/2023 4:17:55.TimeZone: UTC1..[Hardware].Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.CPU Count: 4.RAM: 8191 MB.VideoCard #0: Microsoft Basic Display Adapter..[Processes].System [4].Registry [92].smss.exe [324].csrss.exe [408].wininit.exe [484].csrss.exe [492].winlogon.exe [552].services.exe [620].lsass.exe [628].svchost.exe [752].fontdrvhost.exe [776].fontdrvhost.exe [784].svchost.exe [872].svchost.exe [920].dwm.exe [988].svchost.

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\passwords.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):4902
                                                                                                                                                                                                                Entropy (8bit):2.5402512142169575
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:tMMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMME:m
                                                                                                                                                                                                                MD5:974CC190D5703018C01CE08B904E227B
                                                                                                                                                                                                                SHA1:B4F0F2A72907FCF9551846411A7221F60A88F97D
                                                                                                                                                                                                                SHA-256:204A93E1274C57F489ADB21E0BF56064624582BB3B79FD59BA779EC8A137D8FF
                                                                                                                                                                                                                SHA-512:1949CD5EF9AE8ECB93C47E777DD183E758744D5768D024848E462B5416034D7D5CB2A9190D6AC7A2B8151380910ECDE4DF9396A8E9910B0582015A4923E7103E
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:..................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):6085
                                                                                                                                                                                                                Entropy (8bit):6.038274200863744
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                                                                MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                                                                SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                                                                SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                                                                SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\information.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):5724
                                                                                                                                                                                                                Entropy (8bit):5.385381816454912
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:tCSQwbfvfJHBd8pvBUfioHmobapzOI4+68Dae5apYBRw/f0iV2z5JZx8kaNKs7sJ:O6rKgioGobaoI4+68Dae5apYBRw/f0ia
                                                                                                                                                                                                                MD5:7D4A9DA1C2A655174B9BBF021E0CC2F0
                                                                                                                                                                                                                SHA1:63110B815E0FD6BA95654DA61B21112BF67CC578
                                                                                                                                                                                                                SHA-256:7190F61BD4297F3738F27FF811F63553801C2170F3B8D5E2F97FF703BE649FCF
                                                                                                                                                                                                                SHA-512:4478B137B6C7EDFCFAFD81BFE4D95C4504309A6728BDEC67B3E60EEA50A20525A080900E2988854DC3C53D85135532746757ABCA3D78CD82AC87AF336B2E6A08
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:Version: 1.0..Date: Tue Nov 21 04:17:57 2023.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06.GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}.HWID: bae8dddaaca209009b2a630770ff8b0b..Path: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe.Work Dir: C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3..IP: 89.149.18.60.Location: US, Washington.Windows: Windows 10 Pro [x64].Computer Name: 367706.User Name: user.Display Resolution: 1280x1024.Display Language: en-CH.Keyboard Languages: English (United Kingdom) / English (United Kingdom).Local Time: 21/11/2023 4:17:57.TimeZone: UTC1..[Hardware].Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.CPU Count: 4.RAM: 8191 MB.VideoCard #0: Microsoft Basic Display Adapter..[Processes].System [4].Registry [92].smss.exe [324].csrss.exe [408].wininit.exe [484].csrss.exe [492].winlogon.exe [552].services.exe [620].lsass.exe [628].svchost.exe [752].fontdrvhost.exe [776].fontdrvhost.exe [784].svchost.exe [872].svchost.exe [920].dwm.exe [988].svchos

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\passwords.txt

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):4902
                                                                                                                                                                                                                Entropy (8bit):2.5402512142169575
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:48:tMMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMME:m
                                                                                                                                                                                                                MD5:974CC190D5703018C01CE08B904E227B
                                                                                                                                                                                                                SHA1:B4F0F2A72907FCF9551846411A7221F60A88F97D
                                                                                                                                                                                                                SHA-256:204A93E1274C57F489ADB21E0BF56064624582BB3B79FD59BA779EC8A137D8FF
                                                                                                                                                                                                                SHA-512:1949CD5EF9AE8ECB93C47E777DD183E758744D5768D024848E462B5416034D7D5CB2A9190D6AC7A2B8151380910ECDE4DF9396A8E9910B0582015A4923E7103E
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:..................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Nov 21 02:17:50 2023, mtime=Tue Nov 21 02:17:50 2023, atime=Mon Nov 20 22:31:48 2023, length=1322267, window=hide
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):1238
                                                                                                                                                                                                                Entropy (8bit):4.88859123282099
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:24:8+dxnTXBeR9gKF3bAUA8fFcLtu5oqyFm:8qxzBeRHrAjIFcI5xyF
                                                                                                                                                                                                                MD5:BECFC67021DA211BA2C0D7B28AA122B1
                                                                                                                                                                                                                SHA1:6A996C2C56132AEF35A8185BB4081B8C81FD55C2
                                                                                                                                                                                                                SHA-256:B731C7F43F7A699347475A9AC2C8DF12DB980F1DFF3ACB4914387BADC25846F0
                                                                                                                                                                                                                SHA-512:12E7BC80002B5B49CBD7F31B92D9EF3BBAEB376054CD1CB778CD07C7CEB59EE0C064D91311D5F4E18A5186F39FD190DF7568566F07E551D12339FA2E946E2829
                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                Preview:L..................F.... ....4+O)....4+O)....J.......-......................0.:..DG..Yr?.D..U..k0.&...&......vk.v.....|.....n 7O).......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^uW.............................%..A.p.p.D.a.t.a...B.P.1.....DW.X..Local.<......CW.^uW......b.......................m.L.o.c.a.l.....N.1.....uW....Temp..:......CW.^uW:.....l......................&..T.e.m.p.....d.1.....uW:...FANBOO~1..L......uW:.uW:..........................s;..F.A.N.B.o.o.s.t.e.r.1.3.1.....p.2..-..tW.. .FANBOO~1.EXE..T......uW:.uW:..............................F.A.N.B.o.o.s.t.e.r.1.3.1...e.x.e.......p...............-.......o............T.S.....C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe....F.A.N.B.o.o.s.t.e.r.1.3.1.<.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.F.A.N.B.o.o.s.t.e.r.1.3.1.\.F.A.N.B.o.o.s.t.e.r.1.3.1...e.x.e.........|....I.J.H..K..:...`.......X.......367706...........hT..CrF.f4... ...T..b...,.......hT..CrF

                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                Entropy (8bit):7.950471609848932
                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                File name:14OWDrfahJ.exe
                                                                                                                                                                                                                File size:1'200'128 bytes
                                                                                                                                                                                                                MD5:725dbfed269993cb9944c2e1f7bde652
                                                                                                                                                                                                                SHA1:7104f1350e38ec3c3ea49154f1bba976572cb271
                                                                                                                                                                                                                SHA256:6db8fff48b37469101d280c3e60463c27ace26ea8076e94e358ae74e49fb46ac
                                                                                                                                                                                                                SHA512:1b3eff8e975ee797787b003106d8d222b7c51a85549b3060b80b95edf5e6ef7aa1cfb9d066fd37add46066127b179d8b5c6fdc4d720c47b6524dccbd589e3227
                                                                                                                                                                                                                SSDEEP:24576:NyHiBlVAY6BZzrjPP57SKJXenZzrIKg0maIxCKy3dHELZwIIe:oCBIBZvrN/JOZzrIK88KmaVr
                                                                                                                                                                                                                TLSH:3645235BABC89873C5B53BB038F922871A3A3EA15D34936F33D19C9E09719905431BB7
                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...N...K...H...K...O...K...J...K...J...K...C...K.......K...I...K.Rich..K.........PE..L....`.b.................d.

                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                Icon Hash:3b6120282c4c5a1f

                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Entrypoint:0x406a60
                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                Time Stamp:0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                OS Version Major:10
                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                File Version Major:10
                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                Subsystem Version Major:10
                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                Import Hash:646167cce332c1c252cdcb1839e0cf48

                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                call 00007F4018C84DD5h
                                                                                                                                                                                                                jmp 00007F4018C846E5h
                                                                                                                                                                                                                push 00000058h
                                                                                                                                                                                                                push 004072B8h
                                                                                                                                                                                                                call 00007F4018C84E77h
                                                                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                                                                mov dword ptr [ebp-20h], ebx
                                                                                                                                                                                                                lea eax, dword ptr [ebp-68h]
                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                call dword ptr [0040A184h]
                                                                                                                                                                                                                mov dword ptr [ebp-04h], ebx
                                                                                                                                                                                                                mov eax, dword ptr fs:[00000018h]
                                                                                                                                                                                                                mov esi, dword ptr [eax+04h]
                                                                                                                                                                                                                mov edi, ebx
                                                                                                                                                                                                                mov edx, 004088ACh
                                                                                                                                                                                                                mov ecx, esi
                                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                                lock cmpxchg dword ptr [edx], ecx
                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                je 00007F4018C846FAh
                                                                                                                                                                                                                cmp eax, esi
                                                                                                                                                                                                                jne 00007F4018C846E9h
                                                                                                                                                                                                                xor esi, esi
                                                                                                                                                                                                                inc esi
                                                                                                                                                                                                                mov edi, esi
                                                                                                                                                                                                                jmp 00007F4018C846F2h
                                                                                                                                                                                                                push 000003E8h
                                                                                                                                                                                                                call dword ptr [0040A188h]
                                                                                                                                                                                                                jmp 00007F4018C846B9h
                                                                                                                                                                                                                xor esi, esi
                                                                                                                                                                                                                inc esi
                                                                                                                                                                                                                cmp dword ptr [004088B0h], esi
                                                                                                                                                                                                                jne 00007F4018C846ECh
                                                                                                                                                                                                                push 0000001Fh
                                                                                                                                                                                                                call 00007F4018C84C0Bh
                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                jmp 00007F4018C8471Ch
                                                                                                                                                                                                                cmp dword ptr [004088B0h], ebx
                                                                                                                                                                                                                jne 00007F4018C8470Eh
                                                                                                                                                                                                                mov dword ptr [004088B0h], esi
                                                                                                                                                                                                                push 004010C4h
                                                                                                                                                                                                                push 004010B8h
                                                                                                                                                                                                                call 00007F4018C84836h
                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                je 00007F4018C846F9h
                                                                                                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                                mov eax, 000000FFh
                                                                                                                                                                                                                jmp 00007F4018C84819h
                                                                                                                                                                                                                mov dword ptr [004081E4h], esi
                                                                                                                                                                                                                cmp dword ptr [004088B0h], esi
                                                                                                                                                                                                                jne 00007F4018C846FDh
                                                                                                                                                                                                                push 004010B4h
                                                                                                                                                                                                                push 004010ACh
                                                                                                                                                                                                                call 00007F4018C84DC5h
                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                mov dword ptr [000088B0h], 00000000h

                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa28c0xb4.idata
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x11c924.rsrc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x888.reloc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x14100x54.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080x40.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xa0000x288.idata
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                .text0x10000x63140x6400False0.5744140625data6.314163792045976IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .data0x80000x1a480x200False0.609375data4.970639543960129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                .idata0xa0000x10520x1200False0.4140625data5.025949912909207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .rsrc0xc0000x11d0000x11ca00False0.9740518294356609data7.966087991764429IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .reloc0x1290000x8880xa00False0.746484375data6.222637930812128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                AVI0xc9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                                                                                                                                RT_ICON0xf8140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                                                                                                                                RT_ICON0xfe7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                                                                                                                                RT_ICON0x101640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                                                                                                                                RT_ICON0x1034c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                                                                                                                                RT_ICON0x104740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                                                                                                                                RT_ICON0x1131c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                                                                                                                                RT_ICON0x11bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                                                                                                                                RT_ICON0x1228c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                                                                                                                                RT_ICON0x127f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                                                                                                                                RT_ICON0x201c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                                                                                                                                RT_ICON0x227700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                                                                                                                                RT_ICON0x238180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                                                                                                                                RT_ICON0x241a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                                                                                                                                RT_DIALOG0x246080x2f2dataEnglishUnited States0.4389920424403183
                                                                                                                                                                                                                RT_DIALOG0x248fc0x1b0dataEnglishUnited States0.5625
                                                                                                                                                                                                                RT_DIALOG0x24aac0x166dataEnglishUnited States0.5223463687150838
                                                                                                                                                                                                                RT_DIALOG0x24c140x1c0dataEnglishUnited States0.5446428571428571
                                                                                                                                                                                                                RT_DIALOG0x24dd40x130dataEnglishUnited States0.5526315789473685
                                                                                                                                                                                                                RT_DIALOG0x24f040x120dataEnglishUnited States0.5763888888888888
                                                                                                                                                                                                                RT_STRING0x250240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                                                                                                                                RT_STRING0x250b00x520dataEnglishUnited States0.4032012195121951
                                                                                                                                                                                                                RT_STRING0x255d00x5ccdataEnglishUnited States0.36455525606469
                                                                                                                                                                                                                RT_STRING0x25b9c0x4b0dataEnglishUnited States0.385
                                                                                                                                                                                                                RT_STRING0x2604c0x44adataEnglishUnited States0.3970856102003643
                                                                                                                                                                                                                RT_STRING0x264980x3cedataEnglishUnited States0.36858316221765913
                                                                                                                                                                                                                RT_RCDATA0x268680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                                                                                                                RT_RCDATA0x268700x10139cMicrosoft Cabinet archive data, many, 1053596 bytes, 2 files, at 0x2c +A "Ey3OF47.exe" +A "5Rp2df8.exe", ID 1788, number 1, 36 datablocks, 0x1503 compressionEnglishUnited States1.0001583099365234
                                                                                                                                                                                                                RT_RCDATA0x127c0c0x4dataEnglishUnited States3.0
                                                                                                                                                                                                                RT_RCDATA0x127c100x24dataEnglishUnited States0.7222222222222222
                                                                                                                                                                                                                RT_RCDATA0x127c340x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                                                                                                                RT_RCDATA0x127c3c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                                                                                                                RT_RCDATA0x127c440x4dataEnglishUnited States3.0
                                                                                                                                                                                                                RT_RCDATA0x127c480xcdataEnglishUnited States1.6666666666666667
                                                                                                                                                                                                                RT_RCDATA0x127c540x4dataEnglishUnited States3.0
                                                                                                                                                                                                                RT_RCDATA0x127c580xcdataEnglishUnited States1.6666666666666667
                                                                                                                                                                                                                RT_RCDATA0x127c640x4dataEnglishUnited States3.0
                                                                                                                                                                                                                RT_RCDATA0x127c680x4dataEnglishUnited States3.0
                                                                                                                                                                                                                RT_RCDATA0x127c6c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                                                                                                                RT_RCDATA0x127c740x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                                                                                                                RT_GROUP_ICON0x127c7c0xbcdataEnglishUnited States0.6117021276595744
                                                                                                                                                                                                                RT_VERSION0x127d380x408dataEnglishUnited States0.42441860465116277
                                                                                                                                                                                                                RT_MANIFEST0x1281400x7e2XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3761149653121903

                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                                                                                                                                KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
                                                                                                                                                                                                                GDI32.dllGetDeviceCaps
                                                                                                                                                                                                                USER32.dllSetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
                                                                                                                                                                                                                msvcrt.dll_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
                                                                                                                                                                                                                COMCTL32.dll
                                                                                                                                                                                                                Cabinet.dll
                                                                                                                                                                                                                VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497392046266 11/21/23-04:17:53.738836TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497392046267 11/21/23-04:17:53.938221TCP2046267ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP)5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                194.49.94.152192.168.2.419053497372043234 11/21/23-04:17:53.161550TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                192.168.2.4194.49.94.15249736505002049060 11/21/23-04:17:52.523115TCP2049060ET TROJAN Suspected RisePro TCP Heartbeat Packet4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497402046266 11/21/23-04:17:53.817185TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                192.168.2.4194.49.94.15249736505002046269 11/21/23-04:17:57.323617TCP2046269ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity)4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497362046266 11/21/23-04:17:52.401609TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                192.168.2.4194.49.94.15249739505002046269 11/21/23-04:17:58.568287TCP2046269ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity)4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497362046267 11/21/23-04:17:52.593099TCP2046267ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP)5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                192.168.2.4194.49.94.15249737190532043231 11/21/23-04:18:06.317470TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497402046267 11/21/23-04:17:54.018834TCP2046267ET TROJAN [ANY.RUN] RisePro TCP v.0.x (External IP)5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497442046266 11/21/23-04:18:05.978094TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049744194.49.94.152192.168.2.4
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497452046266 11/21/23-04:18:14.273521TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                194.49.94.152192.168.2.450500497462046266 11/21/23-04:18:23.010239TCP2046266ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Token)5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                192.168.2.4194.49.94.15249737190532046045 11/21/23-04:17:52.975741TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                192.168.2.4194.49.94.15249740505002046269 11/21/23-04:18:30.103136TCP2046269ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Activity)4974050500192.168.2.4194.49.94.152

                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.040343046 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.220765114 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.221031904 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.232461929 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.401608944 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.412663937 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.412791014 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.523114920 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.545394897 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.593099117 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.662170887 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.730957031 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.732558966 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.748236895 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.750293970 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.899384975 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.899427891 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.899544954 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.903531075 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.903546095 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.933911085 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.975740910 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.104543924 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.104679108 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.106262922 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.106271029 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.106473923 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.161550045 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.177567959 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.220909119 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.261264086 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.318181038 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.344386101 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.344495058 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.344558001 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.347043037 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.347078085 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.347094059 CET49738443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.347104073 CET4434973834.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.347641945 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.364162922 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.452955008 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.533644915 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.551367998 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.551655054 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.564100027 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.568279028 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.633521080 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.636614084 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.657569885 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.738836050 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.751092911 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.751163006 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.752554893 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.787293911 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.817184925 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.838006973 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.838093042 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.865349054 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.938220978 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.943679094 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.971033096 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:53.990118027 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.006561041 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.018834114 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.064990044 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.065061092 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.065274000 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.068826914 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.069278955 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.069294930 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.110136986 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.160866976 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.160929918 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.161000967 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.163357019 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.163381100 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.188002110 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.190182924 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.236803055 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.269109011 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.269215107 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.271672964 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.271681070 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.272026062 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.318257093 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.361197948 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.361288071 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.363162994 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.363173962 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.363388062 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.411920071 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.463267088 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.480608940 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.509253979 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.525271893 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.588347912 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.588489056 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.588548899 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.589034081 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.589034081 CET49741443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.589056969 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.589066029 CET4434974134.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.589418888 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.604598045 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.604705095 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.604753017 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.604990005 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.605010986 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.605021954 CET49742443192.168.2.434.117.59.81
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.605026960 CET4434974234.117.59.81192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.605345011 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.784481049 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.799472094 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.802699089 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:54.818387032 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.003098011 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.003825903 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.022469997 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.037599087 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.221600056 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.222229004 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.246911049 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.261157990 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.441155910 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.455831051 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.490098953 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:55.505696058 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:57.323616982 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:57.516359091 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:57.583803892 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.231121063 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.417993069 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.418009043 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.418020964 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.418211937 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.568286896 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.584676981 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.766223907 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.813298941 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:58.818175077 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:59.291296005 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:17:59.477844000 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:17:59.618172884 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:00.001149893 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:00.193185091 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.460905075 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.460999966 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.499955893 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.648171902 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.648190975 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.648260117 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.686374903 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.690416098 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.876235962 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.895020008 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:02.992866039 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.178277016 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.178299904 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.178355932 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.363892078 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.365464926 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.368822098 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.555672884 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.615060091 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.667345047 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.853121042 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:03.862746000 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.048834085 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.094501972 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.280379057 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.295054913 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.480779886 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.615159035 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:04.981602907 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.166915894 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.167583942 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.169142962 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.355046034 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.361871958 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.475064039 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.547663927 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.548894882 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.597862005 CET4974450500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.662235022 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.672930956 CET5050049739194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.673011065 CET4973950500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.734707117 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.742527008 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.787836075 CET5050049744194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.787940979 CET4974450500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.812410116 CET4974450500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.928479910 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.933094978 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:05.978094101 CET5050049744194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.063220978 CET5050049744194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.115165949 CET4974450500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.118829012 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.119371891 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.305097103 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.317470074 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.537103891 CET1905349737194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.615164042 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:06.737102032 CET4973719053192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:08.504393101 CET5050049744194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:08.643755913 CET4974450500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:13.902446032 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.087707043 CET5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.088000059 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.111452103 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.273520947 CET5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.296509981 CET5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.296603918 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.396428108 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.481733084 CET5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.536936045 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.641097069 CET5050049745194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:14.645366907 CET4974550500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:22.650744915 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:22.830430031 CET5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:22.830509901 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:22.841165066 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.010238886 CET5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.016913891 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.017086029 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.077378988 CET5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.130734921 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.250880957 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.362656116 CET5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.443166018 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.450149059 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.622783899 CET5050049746194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.622853994 CET4974650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.844960928 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:23.845124006 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.079030991 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.552201986 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.552278996 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.733159065 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.733366013 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.733589888 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:24.970302105 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:27.568372011 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:27.748786926 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:27.751279116 CET5050049736194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:27.751322031 CET4973650500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:30.103136063 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:30.298135996 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:30.349415064 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:53.861433983 CET5050049740194.49.94.152192.168.2.4
                                                                                                                                                                                                                Nov 21, 2023 04:18:53.927634001 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:54.729805946 CET4974050500192.168.2.4194.49.94.152
                                                                                                                                                                                                                Nov 21, 2023 04:18:54.970335007 CET5050049740194.49.94.152192.168.2.4

                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.733964920 CET5490353192.168.2.41.1.1.1
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.859714985 CET53549031.1.1.1192.168.2.4

                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.733964920 CET192.168.2.41.1.1.10x12dfStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                Nov 21, 2023 04:17:52.859714985 CET1.1.1.1192.168.2.40x12dfNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false

                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                • https:
                                                                                                                                                                                                                  • ipinfo.io

                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                0192.168.2.44973834.117.59.81443C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                Content-Length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:53 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC1INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                034.117.59.81443192.168.2.449738C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                Content-Length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:53 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC0INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:53 UTC1INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                1192.168.2.44974134.117.59.81443C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC1OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC2INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                content-length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:54 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC2INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC3INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                134.117.59.81443192.168.2.449741C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC1OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC2INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                content-length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:54 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC2INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC3INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                2192.168.2.44974234.117.59.81443C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC1OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC3INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                Content-Length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:54 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC4INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC4INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                234.117.59.81443192.168.2.449742C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC1OUTGET /widget/demo/89.149.18.60 HTTP/1.1
                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                Referer: https://ipinfo.io/
                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                                                                                                                                                Host: ipinfo.io
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC3INHTTP/1.1 200 OK
                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                Content-Length: 959
                                                                                                                                                                                                                date: Tue, 21 Nov 2023 03:17:54 GMT
                                                                                                                                                                                                                x-envoy-upstream-service-time: 2
                                                                                                                                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                                                vary: Accept-Encoding
                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC4INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 36 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                                                                                                                                                Data Ascii: { "input": "89.149.18.60", "data": { "ip": "89.149.18.60", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                                                                                                                                                2023-11-21 03:17:54 UTC4INData Raw: 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 53 74 72 2e 20 43 2e 41 2e 20 52 6f 73 65 74 74 69 2c 20 4e 72 2e 31 37 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 62 69 6e 62 6f 78 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 39 2e 31 34 39 2e 31 38 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                                                Data Ascii: "address": "Str. C.A. Rosetti, Nr.17", "country": "RO", "email": "abuse@binbox.com", "name": "Abuse contact role object", "network": "89.149.18.0/24", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                Start time:04:16:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\Desktop\14OWDrfahJ.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Users\user\Desktop\14OWDrfahJ.exe
                                                                                                                                                                                                                Imagebase:0x750000
                                                                                                                                                                                                                File size:1'200'128 bytes
                                                                                                                                                                                                                MD5 hash:725DBFED269993CB9944C2E1F7BDE652
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1633263282.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                Start time:04:16:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
                                                                                                                                                                                                                Imagebase:0x10000
                                                                                                                                                                                                                File size:975'872 bytes
                                                                                                                                                                                                                MD5 hash:A8089B11ACB5AEB2755B87605CC0365C
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 54%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                Start time:04:16:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
                                                                                                                                                                                                                Imagebase:0xba0000
                                                                                                                                                                                                                File size:848'896 bytes
                                                                                                                                                                                                                MD5 hash:CC54031BCC9F48998C7AE467ACF73422
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000002.00000003.1636508373.0000000004A9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 56%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                Start time:04:16:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
                                                                                                                                                                                                                Imagebase:0x80000
                                                                                                                                                                                                                File size:505'120 bytes
                                                                                                                                                                                                                MD5 hash:EFBF47DBDF08AC3A28C0236D9C0A4C27
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 35%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                Start time:04:16:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                Start time:04:17:02
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                                                                                Imagebase:0x7ff74f990000
                                                                                                                                                                                                                File size:71'680 bytes
                                                                                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                Start time:04:17:10
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                                                                                Imagebase:0x7ff74f990000
                                                                                                                                                                                                                File size:71'680 bytes
                                                                                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                Start time:04:17:18
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                                                File size:71'680 bytes
                                                                                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                Start time:04:17:50
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                Imagebase:0x6b0000
                                                                                                                                                                                                                File size:103'528 bytes
                                                                                                                                                                                                                MD5 hash:89D41E1CF478A3D3C2C701A27A5692B2
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.2372767482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.2373910611.0000000007321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                Start time:04:17:50
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
                                                                                                                                                                                                                Imagebase:0x7f0000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2581262150.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 65%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                Start time:04:17:51
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                Imagebase:0xe40000
                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                Start time:04:17:51
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                                Start time:04:17:51
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                Imagebase:0xe40000
                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                Start time:04:17:51
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                Start time:04:17:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                Imagebase:0x10000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2361383370.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 65%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                Start time:04:17:52
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
                                                                                                                                                                                                                Imagebase:0x10000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                Start time:04:18:04
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe"
                                                                                                                                                                                                                Imagebase:0x590000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 65%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                Start time:04:18:13
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe"
                                                                                                                                                                                                                Imagebase:0x590000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                Start time:04:18:22
                                                                                                                                                                                                                Start date:21/11/2023
                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe"
                                                                                                                                                                                                                Imagebase:0x830000
                                                                                                                                                                                                                File size:1'322'267 bytes
                                                                                                                                                                                                                MD5 hash:5158C4F1C895E03E3157643FBA44BF15
                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe, Author: Joe Security
                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                • Detection: 65%, Virustotal, Browse
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:29.2%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:28.2%
                                                                                                                                                                                                                  Total number of Nodes:963
                                                                                                                                                                                                                  Total number of Limit Nodes:27
                                                                                                                                                                                                                  execution_graph 3119 757270 _except_handler4_common 3120 7534f0 3121 753504 3120->3121 3141 7535b8 3120->3141 3122 7535be GetDesktopWindow 3121->3122 3123 75351b 3121->3123 3121->3141 3142 7543d0 6 API calls 3122->3142 3127 75354f 3123->3127 3128 75351f 3123->3128 3124 753526 3125 753671 EndDialog 3125->3124 3127->3124 3131 753559 ResetEvent 3127->3131 3128->3124 3130 75352d TerminateThread EndDialog 3128->3130 3130->3124 3134 7544b9 20 API calls 3131->3134 3132 7535e0 GetDlgItem SendMessageA GetDlgItem SendMessageA 3133 75361d SetWindowTextA CreateThread 3132->3133 3133->3124 3135 753646 3133->3135 3136 753581 3134->3136 3138 7544b9 20 API calls 3135->3138 3137 75359b SetEvent 3136->3137 3139 75358a SetEvent 3136->3139 3140 753680 4 API calls 3137->3140 3138->3141 3139->3124 3140->3141 3141->3124 3141->3125 3143 754463 SetWindowPos 3142->3143 3145 756ce0 4 API calls 3143->3145 3146 7535d6 3145->3146 3146->3132 3146->3133 3147 756ef0 3148 756f2d 3147->3148 3150 756f02 3147->3150 3149 756f27 ?terminate@ 3149->3148 3150->3148 3150->3149 3151 7569b0 3152 7569b5 3151->3152 3160 756fbe GetModuleHandleW 3152->3160 3154 7569c1 __set_app_type __p__fmode __p__commode 3155 7569f9 3154->3155 3156 756a02 __setusermatherr 3155->3156 3157 756a0e 3155->3157 3156->3157 3162 7571ef _controlfp 3157->3162 3159 756a13 3161 756fcf 3160->3161 3161->3154 3162->3159 2196 756a60 2213 757155 2196->2213 2198 756a65 2199 756a76 GetStartupInfoW 2198->2199 2200 756a93 2199->2200 2201 756aa8 2200->2201 2202 756aaf Sleep 2200->2202 2203 756ac7 _amsg_exit 2201->2203 2205 756ad1 2201->2205 2202->2200 2203->2205 2204 756b13 _initterm 2208 756b2e __IsNonwritableInCurrentImage 2204->2208 2205->2204 2206 756af4 2205->2206 2205->2208 2207 756bd6 _ismbblead 2207->2208 2208->2207 2210 756c1e 2208->2210 2211 756bbe exit 2208->2211 2218 752bfb GetVersion 2208->2218 2210->2206 2212 756c27 _cexit 2210->2212 2211->2208 2212->2206 2214 75717e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 2213->2214 2215 75717a 2213->2215 2216 7571cd 2214->2216 2215->2214 2217 7571e2 2215->2217 2216->2217 2217->2198 2219 752c50 2218->2219 2220 752c0f 2218->2220 2235 752caa memset memset memset 2219->2235 2220->2219 2221 752c13 GetModuleHandleW 2220->2221 2221->2219 2223 752c22 GetProcAddress 2221->2223 2223->2219 2232 752c34 2223->2232 2225 752c8e 2226 752c97 CloseHandle 2225->2226 2227 752c9e 2225->2227 2226->2227 2227->2208 2232->2219 2233 752c89 2329 751f90 2233->2329 2346 75468f FindResourceA SizeofResource 2235->2346 2238 752d2d CreateEventA SetEvent 2239 75468f 7 API calls 2238->2239 2241 752d57 2239->2241 2240 7544b9 20 API calls 2264 752d6e 2240->2264 2242 752d5b 2241->2242 2244 752e1f 2241->2244 2247 75468f 7 API calls 2241->2247 2383 7544b9 2242->2383 2351 755c9e 2244->2351 2250 752d9f 2247->2250 2248 752c62 2248->2225 2276 752f1d 2248->2276 2250->2242 2253 752da3 CreateMutexA 2250->2253 2251 752e30 2251->2240 2252 752e3a 2254 752e43 2252->2254 2255 752e52 FindResourceA 2252->2255 2253->2244 2256 752dbd GetLastError 2253->2256 2412 752390 2254->2412 2259 752e64 LoadResource 2255->2259 2260 752e6e 2255->2260 2256->2244 2258 752dca 2256->2258 2261 752dd5 2258->2261 2262 752dea 2258->2262 2259->2260 2260->2264 2265 752e8b 2260->2265 2266 7544b9 20 API calls 2261->2266 2263 7544b9 20 API calls 2262->2263 2267 752dff 2263->2267 2378 756ce0 2264->2378 2427 7536ee GetVersionExA 2265->2427 2269 752de8 2266->2269 2267->2244 2270 752e04 CloseHandle 2267->2270 2269->2270 2270->2264 2271 752ee8 2271->2264 2277 752f6c 2276->2277 2278 752f3f 2276->2278 2571 755164 2277->2571 2280 752f5f 2278->2280 2552 7551e5 2278->2552 2699 753a3f 2280->2699 2282 752f71 2311 75303c 2282->2311 2584 7555a0 2282->2584 2288 756ce0 4 API calls 2290 752c6b 2288->2290 2289 752f86 GetSystemDirectoryA 2291 75658a CharPrevA 2289->2291 2316 7552b6 2290->2316 2292 752fab LoadLibraryA 2291->2292 2293 752ff7 FreeLibrary 2292->2293 2294 752fc0 GetProcAddress 2292->2294 2295 753017 SetCurrentDirectoryA 2293->2295 2296 753006 2293->2296 2294->2293 2297 752fd6 DecryptFileA 2294->2297 2298 753054 2295->2298 2299 753026 2295->2299 2296->2295 2632 75621e GetWindowsDirectoryA 2296->2632 2297->2293 2308 752ff0 2297->2308 2300 753061 2298->2300 2642 753b26 2298->2642 2302 7544b9 20 API calls 2299->2302 2305 75307a 2300->2305 2300->2311 2651 75256d 2300->2651 2307 753037 2302->2307 2312 753098 2305->2312 2662 753ba2 2305->2662 2718 756285 GetLastError 2307->2718 2308->2293 2311->2288 2312->2311 2314 7530af 2312->2314 2720 754169 2314->2720 2317 7552d6 2316->2317 2325 755316 2316->2325 2319 755300 LocalFree LocalFree 2317->2319 2321 7552eb SetFileAttributesA DeleteFileA 2317->2321 2318 755374 2320 75538c 2318->2320 3050 751fe1 2318->3050 2319->2317 2319->2325 2322 756ce0 4 API calls 2320->2322 2321->2319 2324 752c72 2322->2324 2324->2225 2324->2233 2325->2318 2326 75535e SetCurrentDirectoryA 2325->2326 2327 7565e8 4 API calls 2325->2327 2328 752390 13 API calls 2326->2328 2327->2326 2328->2318 2330 751f9f 2329->2330 2331 751f9a 2329->2331 2332 751fc0 2330->2332 2334 7544b9 20 API calls 2330->2334 2337 751fd9 2330->2337 2333 751ea7 15 API calls 2331->2333 2335 751fcf ExitWindowsEx 2332->2335 2336 751ee2 GetCurrentProcess OpenProcessToken 2332->2336 2332->2337 2333->2330 2334->2332 2335->2337 2339 751f23 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2336->2339 2340 751f0e 2336->2340 2337->2225 2339->2340 2341 751f6b ExitWindowsEx 2339->2341 2342 7544b9 20 API calls 2340->2342 2341->2340 2343 751f1f 2341->2343 2342->2343 2344 756ce0 4 API calls 2343->2344 2345 751f8c 2344->2345 2345->2225 2347 7546b6 2346->2347 2348 752d1a 2346->2348 2347->2348 2349 7546be FindResourceA LoadResource LockResource 2347->2349 2348->2238 2348->2251 2349->2348 2350 7546df memcpy_s FreeResource 2349->2350 2350->2348 2352 7560fb 2351->2352 2375 755cc3 2351->2375 2353 756ce0 4 API calls 2352->2353 2355 752e2c 2353->2355 2354 755dd0 2354->2352 2357 755dec GetModuleFileNameA 2354->2357 2355->2251 2355->2252 2356 755ced CharNextA 2356->2375 2358 755e17 2357->2358 2359 755e0a 2357->2359 2358->2352 2469 7566c8 2359->2469 2361 756218 2478 756e2a 2361->2478 2364 755e36 CharUpperA 2365 7561d0 2364->2365 2364->2375 2366 7544b9 20 API calls 2365->2366 2367 7561e7 2366->2367 2368 7561f7 ExitProcess 2367->2368 2369 7561f0 CloseHandle 2367->2369 2369->2368 2370 755f9f CharUpperA 2370->2375 2371 755f59 CompareStringA 2371->2375 2372 756003 CharUpperA 2372->2375 2373 755edc CharUpperA 2373->2375 2374 7560a2 CharUpperA 2374->2375 2375->2352 2375->2354 2375->2356 2375->2361 2375->2364 2375->2370 2375->2371 2375->2372 2375->2373 2375->2374 2376 75667f IsDBCSLeadByte CharNextA 2375->2376 2474 75658a 2375->2474 2376->2375 2379 756ce8 2378->2379 2380 756ceb 2378->2380 2379->2248 2485 756cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2380->2485 2382 756e26 2382->2248 2384 7544fe LoadStringA 2383->2384 2385 75455a 2383->2385 2386 754527 2384->2386 2387 754562 2384->2387 2388 756ce0 4 API calls 2385->2388 2389 75681f 10 API calls 2386->2389 2393 7545c9 2387->2393 2399 75457e 2387->2399 2391 754689 2388->2391 2390 75452c 2389->2390 2392 754536 MessageBoxA 2390->2392 2498 7567c9 2390->2498 2391->2264 2392->2385 2395 754607 LocalAlloc 2393->2395 2396 7545cd LocalAlloc 2393->2396 2395->2385 2407 7545c4 2395->2407 2396->2385 2400 7545f3 2396->2400 2399->2399 2402 754596 LocalAlloc 2399->2402 2403 75171e _vsnprintf 2400->2403 2401 75462d MessageBeep 2486 75681f 2401->2486 2402->2385 2405 7545af 2402->2405 2403->2407 2504 75171e 2405->2504 2407->2401 2409 754645 MessageBoxA LocalFree 2409->2385 2410 7567c9 EnumResourceLanguagesA 2410->2409 2413 7524cb 2412->2413 2416 7523b9 2412->2416 2414 756ce0 4 API calls 2413->2414 2415 7524dc 2414->2415 2415->2264 2416->2413 2417 7523e9 FindFirstFileA 2416->2417 2417->2413 2418 752407 2417->2418 2419 752421 lstrcmpA 2418->2419 2420 752479 2418->2420 2422 7524a9 FindNextFileA 2418->2422 2425 75658a CharPrevA 2418->2425 2426 752390 5 API calls 2418->2426 2421 752431 lstrcmpA 2419->2421 2419->2422 2423 752488 SetFileAttributesA DeleteFileA 2420->2423 2421->2418 2421->2422 2422->2418 2424 7524bd FindClose RemoveDirectoryA 2422->2424 2423->2422 2424->2413 2425->2418 2426->2418 2428 75372d 2427->2428 2429 753737 2427->2429 2430 7544b9 20 API calls 2428->2430 2441 7539fc 2428->2441 2429->2428 2434 7538a4 2429->2434 2429->2441 2514 7528e8 2429->2514 2430->2441 2431 756ce0 4 API calls 2432 752e92 2431->2432 2432->2264 2432->2271 2442 7518a3 2432->2442 2434->2428 2435 7539c1 MessageBeep 2434->2435 2434->2441 2436 75681f 10 API calls 2435->2436 2437 7539ce 2436->2437 2438 7539d8 MessageBoxA 2437->2438 2439 7567c9 EnumResourceLanguagesA 2437->2439 2438->2441 2439->2438 2441->2431 2443 7518d5 2442->2443 2444 7519b8 2442->2444 2543 7517ee LoadLibraryA 2443->2543 2446 756ce0 4 API calls 2444->2446 2448 7519d5 2446->2448 2448->2271 2462 756517 FindResourceA 2448->2462 2449 7518e5 GetCurrentProcess OpenProcessToken 2449->2444 2450 751900 GetTokenInformation 2449->2450 2451 751918 GetLastError 2450->2451 2452 7519aa CloseHandle 2450->2452 2451->2452 2453 751927 LocalAlloc 2451->2453 2452->2444 2454 7519a9 2453->2454 2455 751938 GetTokenInformation 2453->2455 2454->2452 2456 7519a2 LocalFree 2455->2456 2457 75194e AllocateAndInitializeSid 2455->2457 2456->2454 2457->2456 2460 75196e 2457->2460 2458 751999 FreeSid 2458->2456 2459 751975 EqualSid 2459->2460 2461 75198c 2459->2461 2460->2458 2460->2459 2460->2461 2461->2458 2463 756536 LoadResource 2462->2463 2464 75656b 2462->2464 2463->2464 2465 756544 DialogBoxIndirectParamA FreeResource 2463->2465 2466 7544b9 20 API calls 2464->2466 2465->2464 2467 75657c 2465->2467 2466->2467 2467->2271 2470 7566d5 2469->2470 2471 7566f3 2470->2471 2473 7566e5 CharNextA 2470->2473 2481 756648 2470->2481 2471->2358 2473->2470 2475 75659b 2474->2475 2475->2475 2476 7565ab 2475->2476 2477 7565b8 CharPrevA 2475->2477 2476->2375 2477->2476 2484 756cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2478->2484 2480 75621d 2482 75665d IsDBCSLeadByte 2481->2482 2483 756668 2481->2483 2482->2483 2483->2470 2484->2480 2485->2382 2487 756857 GetVersionExA 2486->2487 2488 756940 2486->2488 2491 75687c 2487->2491 2497 75691a 2487->2497 2489 756ce0 4 API calls 2488->2489 2490 75463b 2489->2490 2490->2409 2490->2410 2492 7568a5 GetSystemMetrics 2491->2492 2491->2497 2493 7568b5 RegOpenKeyExA 2492->2493 2492->2497 2494 7568d6 RegQueryValueExA RegCloseKey 2493->2494 2493->2497 2495 75690c 2494->2495 2494->2497 2508 7566f9 2495->2508 2497->2488 2499 7567e2 2498->2499 2503 756803 2498->2503 2512 756793 EnumResourceLanguagesA 2499->2512 2501 7567f5 2501->2503 2513 756793 EnumResourceLanguagesA 2501->2513 2503->2392 2505 75172d 2504->2505 2506 75175d 2505->2506 2507 75173d _vsnprintf 2505->2507 2506->2407 2507->2506 2510 75670f 2508->2510 2509 756740 CharNextA 2509->2510 2510->2509 2511 75674b 2510->2511 2511->2497 2512->2501 2513->2503 2515 752a62 2514->2515 2522 75290d 2514->2522 2516 752a75 2515->2516 2517 752a6e GlobalFree 2515->2517 2516->2434 2517->2516 2519 752955 GlobalAlloc 2519->2515 2520 752968 GlobalLock 2519->2520 2520->2515 2520->2522 2521 752a20 GlobalUnlock 2521->2522 2522->2515 2522->2519 2522->2521 2523 752a80 GlobalUnlock 2522->2523 2524 752773 2522->2524 2523->2515 2525 7527a3 CharUpperA CharNextA CharNextA 2524->2525 2526 7528b2 2524->2526 2527 7528b7 GetSystemDirectoryA 2525->2527 2528 7527db 2525->2528 2526->2527 2531 7528bf 2527->2531 2529 7527e3 2528->2529 2530 7528a8 GetWindowsDirectoryA 2528->2530 2535 75658a CharPrevA 2529->2535 2530->2531 2532 7528d2 2531->2532 2533 75658a CharPrevA 2531->2533 2534 756ce0 4 API calls 2532->2534 2533->2532 2536 7528e2 2534->2536 2537 752810 RegOpenKeyExA 2535->2537 2536->2522 2537->2531 2538 752837 RegQueryValueExA 2537->2538 2539 75285c 2538->2539 2540 75289a RegCloseKey 2538->2540 2541 752867 ExpandEnvironmentStringsA 2539->2541 2542 75287a 2539->2542 2540->2531 2541->2542 2542->2540 2544 751826 GetProcAddress 2543->2544 2545 751890 2543->2545 2546 751889 FreeLibrary 2544->2546 2547 751839 AllocateAndInitializeSid 2544->2547 2548 756ce0 4 API calls 2545->2548 2546->2545 2547->2546 2551 75185f FreeSid 2547->2551 2549 75189f 2548->2549 2549->2444 2549->2449 2551->2546 2553 75468f 7 API calls 2552->2553 2554 7551f9 LocalAlloc 2553->2554 2555 75522d 2554->2555 2556 75520d 2554->2556 2557 75468f 7 API calls 2555->2557 2558 7544b9 20 API calls 2556->2558 2559 75523a 2557->2559 2560 75521e 2558->2560 2561 755262 lstrcmpA 2559->2561 2562 75523e 2559->2562 2563 756285 GetLastError 2560->2563 2565 755272 LocalFree 2561->2565 2566 75527e 2561->2566 2564 7544b9 20 API calls 2562->2564 2569 752f4d 2563->2569 2567 75524f LocalFree 2564->2567 2565->2569 2568 7544b9 20 API calls 2566->2568 2567->2569 2570 755290 LocalFree 2568->2570 2569->2277 2569->2280 2569->2311 2570->2569 2572 75468f 7 API calls 2571->2572 2573 755175 2572->2573 2574 75517a 2573->2574 2575 7551af 2573->2575 2576 7544b9 20 API calls 2574->2576 2577 75468f 7 API calls 2575->2577 2578 75518d 2576->2578 2579 7551c0 2577->2579 2578->2282 2733 756298 2579->2733 2582 7551e1 2582->2282 2583 7544b9 20 API calls 2583->2578 2585 75468f 7 API calls 2584->2585 2586 7555c7 LocalAlloc 2585->2586 2587 7555fd 2586->2587 2588 7555db 2586->2588 2590 75468f 7 API calls 2587->2590 2589 7544b9 20 API calls 2588->2589 2591 7555ec 2589->2591 2592 75560a 2590->2592 2593 756285 GetLastError 2591->2593 2594 755632 lstrcmpA 2592->2594 2595 75560e 2592->2595 2618 7555f1 2593->2618 2596 755645 2594->2596 2597 75564b LocalFree 2594->2597 2598 7544b9 20 API calls 2595->2598 2596->2597 2600 755696 2597->2600 2601 75565b 2597->2601 2599 75561f LocalFree 2598->2599 2599->2618 2602 75589f 2600->2602 2605 7556ae GetTempPathA 2600->2605 2607 755467 49 API calls 2601->2607 2603 756517 24 API calls 2602->2603 2603->2618 2604 756ce0 4 API calls 2608 752f7e 2604->2608 2606 7556c3 2605->2606 2611 7556eb 2605->2611 2745 755467 2606->2745 2610 755678 2607->2610 2608->2289 2608->2311 2613 7544b9 20 API calls 2610->2613 2610->2618 2614 755717 GetDriveTypeA 2611->2614 2615 75586c GetWindowsDirectoryA 2611->2615 2611->2618 2613->2618 2619 755730 GetFileAttributesA 2614->2619 2630 75572b 2614->2630 2779 75597d GetCurrentDirectoryA SetCurrentDirectoryA 2615->2779 2618->2604 2619->2630 2621 755467 49 API calls 2621->2611 2622 752630 21 API calls 2622->2630 2624 7557c1 GetWindowsDirectoryA 2624->2630 2625 75658a CharPrevA 2627 7557e8 GetFileAttributesA 2625->2627 2626 75597d 34 API calls 2626->2630 2628 7557fa CreateDirectoryA 2627->2628 2627->2630 2628->2630 2629 755827 SetFileAttributesA 2629->2630 2630->2614 2630->2615 2630->2618 2630->2619 2630->2622 2630->2624 2630->2625 2630->2626 2630->2629 2631 755467 49 API calls 2630->2631 2775 756952 2630->2775 2631->2630 2633 756249 2632->2633 2634 756268 2632->2634 2635 7544b9 20 API calls 2633->2635 2636 75597d 34 API calls 2634->2636 2637 75625a 2635->2637 2638 75625f 2636->2638 2639 756285 GetLastError 2637->2639 2640 756ce0 4 API calls 2638->2640 2639->2638 2641 753013 2640->2641 2641->2295 2641->2311 2643 753b2d 2642->2643 2643->2643 2644 753b72 2643->2644 2646 753b53 2643->2646 2845 754fe0 2644->2845 2647 756517 24 API calls 2646->2647 2648 753b70 2647->2648 2649 756298 10 API calls 2648->2649 2650 753b7b 2648->2650 2649->2650 2650->2300 2652 752583 2651->2652 2653 752622 2651->2653 2654 7525e8 RegOpenKeyExA 2652->2654 2655 75258b 2652->2655 2896 7524e0 GetWindowsDirectoryA 2653->2896 2657 7525e3 2654->2657 2658 752609 RegQueryInfoKeyA 2654->2658 2655->2657 2659 75259b RegOpenKeyExA 2655->2659 2657->2305 2660 7525d1 RegCloseKey 2658->2660 2659->2657 2661 7525bc RegQueryValueExA 2659->2661 2660->2657 2661->2660 2663 753bdb 2662->2663 2672 753bec 2662->2672 2664 75468f 7 API calls 2663->2664 2664->2672 2665 753c03 memset 2665->2672 2666 75468f 7 API calls 2666->2672 2667 753d13 2668 7544b9 20 API calls 2667->2668 2669 753d26 2668->2669 2671 756ce0 4 API calls 2669->2671 2673 753f60 2671->2673 2672->2665 2672->2666 2672->2667 2672->2669 2674 753d7b CompareStringA 2672->2674 2675 753fd7 2672->2675 2676 753fab 2672->2676 2680 753f46 LocalFree 2672->2680 2681 753f1e LocalFree 2672->2681 2685 753cc7 CompareStringA 2672->2685 2696 753e10 2672->2696 2904 751ae8 2672->2904 2945 75202a memset memset RegCreateKeyExA 2672->2945 2971 753fef 2672->2971 2673->2312 2674->2672 2674->2675 2675->2669 2995 752267 2675->2995 2679 7544b9 20 API calls 2676->2679 2683 753fbe LocalFree 2679->2683 2680->2669 2681->2672 2681->2675 2683->2669 2685->2672 2686 753f92 2689 7544b9 20 API calls 2686->2689 2687 753e1f GetProcAddress 2688 753f64 2687->2688 2687->2696 2690 7544b9 20 API calls 2688->2690 2691 753fa9 2689->2691 2692 753f75 FreeLibrary 2690->2692 2693 753f7c LocalFree 2691->2693 2692->2693 2694 756285 GetLastError 2693->2694 2695 753f8b 2694->2695 2695->2669 2696->2686 2696->2687 2697 753f40 FreeLibrary 2696->2697 2698 753eff FreeLibrary 2696->2698 2985 756495 2696->2985 2697->2680 2698->2681 2700 75468f 7 API calls 2699->2700 2701 753a55 LocalAlloc 2700->2701 2702 753a6c 2701->2702 2703 753a8e 2701->2703 2704 7544b9 20 API calls 2702->2704 2705 75468f 7 API calls 2703->2705 2706 753a7d 2704->2706 2707 753a98 2705->2707 2708 756285 GetLastError 2706->2708 2709 753ac5 lstrcmpA 2707->2709 2710 753a9c 2707->2710 2713 752f64 2708->2713 2711 753b0d LocalFree 2709->2711 2712 753ada 2709->2712 2714 7544b9 20 API calls 2710->2714 2711->2713 2716 756517 24 API calls 2712->2716 2713->2277 2713->2311 2715 753aad LocalFree 2714->2715 2715->2713 2717 753aec LocalFree 2716->2717 2717->2713 2719 75628f 2718->2719 2719->2311 2721 75468f 7 API calls 2720->2721 2722 75417d LocalAlloc 2721->2722 2723 754195 2722->2723 2724 7541a8 2722->2724 2725 7544b9 20 API calls 2723->2725 2726 75468f 7 API calls 2724->2726 2727 7541a6 2725->2727 2728 7541b5 2726->2728 2727->2311 2729 7541c5 lstrcmpA 2728->2729 2730 7541b9 2728->2730 2729->2730 2731 7541e6 LocalFree 2729->2731 2732 7544b9 20 API calls 2730->2732 2731->2727 2732->2731 2734 75171e _vsnprintf 2733->2734 2735 7562c9 FindResourceA 2734->2735 2737 756353 2735->2737 2738 7562cb LoadResource LockResource 2735->2738 2739 756ce0 4 API calls 2737->2739 2738->2737 2741 7562e0 2738->2741 2740 7551ca 2739->2740 2740->2582 2740->2583 2742 756355 FreeResource 2741->2742 2743 75631b FreeResource 2741->2743 2742->2737 2744 75171e _vsnprintf 2743->2744 2744->2735 2746 75548a 2745->2746 2763 75551a 2745->2763 2805 7553a1 2746->2805 2748 755581 2752 756ce0 4 API calls 2748->2752 2751 755495 2751->2748 2755 7554c2 GetSystemInfo 2751->2755 2756 75550c 2751->2756 2757 75559a 2752->2757 2753 75554d 2753->2748 2762 75597d 34 API calls 2753->2762 2754 75553b CreateDirectoryA 2758 755577 2754->2758 2759 755547 2754->2759 2765 7554da 2755->2765 2760 75658a CharPrevA 2756->2760 2757->2618 2769 752630 GetWindowsDirectoryA 2757->2769 2761 756285 GetLastError 2758->2761 2759->2753 2760->2763 2764 75557c 2761->2764 2766 75555c 2762->2766 2816 7558c8 2763->2816 2764->2748 2765->2756 2767 75658a CharPrevA 2765->2767 2766->2748 2768 755568 RemoveDirectoryA 2766->2768 2767->2756 2768->2748 2770 75266f 2769->2770 2771 75265e 2769->2771 2772 756ce0 4 API calls 2770->2772 2773 7544b9 20 API calls 2771->2773 2774 752687 2772->2774 2773->2770 2774->2611 2774->2621 2776 7569a1 2775->2776 2777 75696e GetDiskFreeSpaceA 2775->2777 2776->2630 2777->2776 2778 756989 MulDiv 2777->2778 2778->2776 2780 7559dd GetDiskFreeSpaceA 2779->2780 2781 7559bb 2779->2781 2783 755ba1 memset 2780->2783 2784 755a21 MulDiv 2780->2784 2782 7544b9 20 API calls 2781->2782 2785 7559cc 2782->2785 2786 756285 GetLastError 2783->2786 2784->2783 2787 755a50 GetVolumeInformationA 2784->2787 2788 756285 GetLastError 2785->2788 2789 755bbc GetLastError FormatMessageA 2786->2789 2790 755ab5 SetCurrentDirectoryA 2787->2790 2791 755a6e memset 2787->2791 2792 7559d1 2788->2792 2793 755be3 2789->2793 2800 755acc 2790->2800 2794 756285 GetLastError 2791->2794 2798 756ce0 4 API calls 2792->2798 2795 7544b9 20 API calls 2793->2795 2796 755a89 GetLastError FormatMessageA 2794->2796 2797 755bf5 SetCurrentDirectoryA 2795->2797 2796->2793 2797->2792 2799 755c11 2798->2799 2799->2611 2801 755b0a 2800->2801 2803 755b20 2800->2803 2802 7544b9 20 API calls 2801->2802 2802->2792 2803->2792 2828 75268b 2803->2828 2807 7553bf 2805->2807 2806 75171e _vsnprintf 2806->2807 2807->2806 2808 75658a CharPrevA 2807->2808 2811 755415 GetTempFileNameA 2807->2811 2809 7553fa RemoveDirectoryA GetFileAttributesA 2808->2809 2809->2807 2810 75544f CreateDirectoryA 2809->2810 2810->2811 2812 75543a 2810->2812 2811->2812 2813 755429 DeleteFileA CreateDirectoryA 2811->2813 2814 756ce0 4 API calls 2812->2814 2813->2812 2815 755449 2814->2815 2815->2751 2817 7558d8 2816->2817 2817->2817 2818 7558df LocalAlloc 2817->2818 2819 7558f3 2818->2819 2820 755919 2818->2820 2821 7544b9 20 API calls 2819->2821 2822 75658a CharPrevA 2820->2822 2827 755906 2821->2827 2824 755931 CreateFileA LocalFree 2822->2824 2823 756285 GetLastError 2826 755534 2823->2826 2825 75595b CloseHandle GetFileAttributesA 2824->2825 2824->2827 2825->2827 2826->2753 2826->2754 2827->2823 2827->2826 2829 7526e5 2828->2829 2830 7526b9 2828->2830 2832 75271f 2829->2832 2833 7526ea 2829->2833 2831 75171e _vsnprintf 2830->2831 2834 7526cc 2831->2834 2837 75171e _vsnprintf 2832->2837 2843 7526e3 2832->2843 2835 75171e _vsnprintf 2833->2835 2839 7544b9 20 API calls 2834->2839 2836 7526fd 2835->2836 2840 7544b9 20 API calls 2836->2840 2841 752735 2837->2841 2838 756ce0 4 API calls 2842 75276d 2838->2842 2839->2843 2840->2843 2844 7544b9 20 API calls 2841->2844 2842->2792 2843->2838 2844->2843 2846 75468f 7 API calls 2845->2846 2847 754ff5 FindResourceA LoadResource LockResource 2846->2847 2848 755020 2847->2848 2860 75515f 2847->2860 2849 755057 2848->2849 2850 755029 GetDlgItem ShowWindow GetDlgItem ShowWindow 2848->2850 2864 754efd 2849->2864 2850->2849 2853 755060 2855 7544b9 20 API calls 2853->2855 2854 75507c 2856 7544b9 20 API calls 2854->2856 2861 755075 2854->2861 2855->2861 2856->2861 2857 755110 FreeResource 2859 75511d 2857->2859 2858 75513a 2858->2860 2863 75514c SendMessageA 2858->2863 2859->2858 2862 7544b9 20 API calls 2859->2862 2860->2648 2861->2857 2861->2859 2862->2858 2863->2860 2865 754f4a 2864->2865 2866 754fa1 2865->2866 2872 754980 2865->2872 2868 756ce0 4 API calls 2866->2868 2869 754fc6 2868->2869 2869->2853 2869->2854 2873 754990 2872->2873 2874 7549a5 2873->2874 2875 7549c2 lstrcmpA 2873->2875 2876 7544b9 20 API calls 2874->2876 2877 754a0e 2875->2877 2878 7549ba 2875->2878 2876->2878 2877->2878 2883 75487a 2877->2883 2878->2866 2880 754b60 2878->2880 2881 754b76 2880->2881 2882 754b92 FindCloseChangeNotification 2880->2882 2881->2866 2882->2881 2884 7548a2 CreateFileA 2883->2884 2886 7548e9 2884->2886 2887 754908 2884->2887 2886->2887 2888 7548ee 2886->2888 2887->2878 2891 75490c 2888->2891 2892 7548f5 CreateFileA 2891->2892 2894 754917 2891->2894 2892->2887 2893 754962 CharNextA 2893->2894 2894->2892 2894->2893 2895 754953 CreateDirectoryA 2894->2895 2895->2893 2897 752510 2896->2897 2898 75255b 2896->2898 2899 75658a CharPrevA 2897->2899 2900 756ce0 4 API calls 2898->2900 2901 752522 WritePrivateProfileStringA _lopen 2899->2901 2902 752569 2900->2902 2901->2898 2903 752548 _llseek _lclose 2901->2903 2902->2657 2903->2898 2905 751b25 2904->2905 3009 751a84 2905->3009 2907 751b57 2908 75658a CharPrevA 2907->2908 2910 751b8c 2907->2910 2908->2910 2909 7566c8 2 API calls 2911 751bd1 2909->2911 2910->2909 2912 751d73 2911->2912 2913 751bd9 CompareStringA 2911->2913 2915 7566c8 2 API calls 2912->2915 2913->2912 2914 751bf7 GetFileAttributesA 2913->2914 2916 751d53 2914->2916 2917 751c0d 2914->2917 2918 751d7d 2915->2918 2919 751d64 2916->2919 2917->2916 2924 751a84 2 API calls 2917->2924 2920 751d81 CompareStringA 2918->2920 2921 751df8 LocalAlloc 2918->2921 2922 7544b9 20 API calls 2919->2922 2920->2921 2931 751d9b 2920->2931 2921->2919 2923 751e0b GetFileAttributesA 2921->2923 2939 751d6c 2922->2939 2925 751e45 2923->2925 2926 751e1d 2923->2926 2927 751c31 2924->2927 3015 752aac 2925->3015 2926->2925 2928 751c50 LocalAlloc 2927->2928 2932 751a84 2 API calls 2927->2932 2928->2919 2929 751c67 GetPrivateProfileIntA GetPrivateProfileStringA 2928->2929 2938 751cf8 2929->2938 2943 751cc2 2929->2943 2930 756ce0 4 API calls 2936 751ea1 2930->2936 2931->2931 2933 751dbe LocalAlloc 2931->2933 2932->2928 2933->2919 2937 751de1 2933->2937 2936->2672 2940 75171e _vsnprintf 2937->2940 2941 751d23 2938->2941 2942 751d09 GetShortPathNameA 2938->2942 2939->2930 2940->2943 2944 75171e _vsnprintf 2941->2944 2942->2941 2943->2939 2944->2943 2946 752256 2945->2946 2947 75209a 2945->2947 2948 756ce0 4 API calls 2946->2948 2950 75171e _vsnprintf 2947->2950 2952 7520dc 2947->2952 2949 752263 2948->2949 2949->2672 2951 7520af RegQueryValueExA 2950->2951 2951->2947 2951->2952 2953 7520e4 RegCloseKey 2952->2953 2954 7520fb GetSystemDirectoryA 2952->2954 2953->2946 2955 75658a CharPrevA 2954->2955 2956 75211b LoadLibraryA 2955->2956 2957 75212e GetProcAddress FreeLibrary 2956->2957 2958 752179 GetModuleFileNameA 2956->2958 2957->2958 2960 75214e GetSystemDirectoryA 2957->2960 2959 7521de RegCloseKey 2958->2959 2963 752177 2958->2963 2959->2946 2961 752165 2960->2961 2960->2963 2962 75658a CharPrevA 2961->2962 2962->2963 2963->2963 2964 7521b7 LocalAlloc 2963->2964 2965 7521cd 2964->2965 2966 7521ec 2964->2966 2967 7544b9 20 API calls 2965->2967 2968 75171e _vsnprintf 2966->2968 2967->2959 2969 752218 RegSetValueExA RegCloseKey LocalFree 2968->2969 2969->2946 2972 754016 CreateProcessA 2971->2972 2983 754106 2971->2983 2973 7540c4 2972->2973 2974 754041 WaitForSingleObject GetExitCodeProcess 2972->2974 2976 756285 GetLastError 2973->2976 2977 754070 2974->2977 2975 756ce0 4 API calls 2978 754117 2975->2978 2980 7540c9 GetLastError FormatMessageA 2976->2980 3042 75411b 2977->3042 2978->2672 2982 7544b9 20 API calls 2980->2982 2981 754096 CloseHandle CloseHandle 2981->2983 2984 7540ba 2981->2984 2982->2983 2983->2975 2984->2983 2986 7564c2 2985->2986 2987 75658a CharPrevA 2986->2987 2988 7564d8 GetFileAttributesA 2987->2988 2989 756501 LoadLibraryA 2988->2989 2990 7564ea 2988->2990 2991 756508 2989->2991 2990->2989 2992 7564ee LoadLibraryExA 2990->2992 2993 756ce0 4 API calls 2991->2993 2992->2991 2994 756513 2993->2994 2994->2696 2996 752381 2995->2996 2997 752289 RegOpenKeyExA 2995->2997 2998 756ce0 4 API calls 2996->2998 2997->2996 2999 7522b1 RegQueryValueExA 2997->2999 3000 75238c 2998->3000 3001 752374 RegCloseKey 2999->3001 3002 7522e6 memset GetSystemDirectoryA 2999->3002 3000->2669 3001->2996 3003 752321 3002->3003 3004 75230f 3002->3004 3006 75171e _vsnprintf 3003->3006 3005 75658a CharPrevA 3004->3005 3005->3003 3007 75233f RegSetValueExA 3006->3007 3007->3001 3010 751a9a 3009->3010 3012 751aba 3010->3012 3014 751aaf 3010->3014 3028 75667f 3010->3028 3012->2907 3013 75667f 2 API calls 3013->3014 3014->3012 3014->3013 3016 752ad4 GetModuleFileNameA 3015->3016 3017 752be6 3015->3017 3027 752b02 3016->3027 3018 756ce0 4 API calls 3017->3018 3020 752bf5 3018->3020 3019 752af1 IsDBCSLeadByte 3019->3027 3020->2939 3021 752b11 CharNextA CharUpperA 3024 752b8d CharUpperA 3021->3024 3021->3027 3022 752bca CharNextA 3023 752bd3 CharNextA 3022->3023 3023->3027 3024->3027 3026 752b43 CharPrevA 3026->3027 3027->3017 3027->3019 3027->3021 3027->3022 3027->3023 3027->3026 3033 7565e8 3027->3033 3029 756689 3028->3029 3030 756648 IsDBCSLeadByte 3029->3030 3031 756697 CharNextA 3029->3031 3032 7566a5 3029->3032 3030->3029 3031->3029 3032->3010 3034 7565f4 3033->3034 3034->3034 3035 7565fb CharPrevA 3034->3035 3036 756611 CharPrevA 3035->3036 3037 75660b 3036->3037 3038 75661e 3036->3038 3037->3036 3037->3038 3039 75663d 3038->3039 3040 756634 CharNextA 3038->3040 3041 756627 CharPrevA 3038->3041 3039->3027 3040->3039 3041->3039 3041->3040 3043 754132 3042->3043 3045 75412a 3042->3045 3046 751ea7 3043->3046 3045->2981 3047 751eba 3046->3047 3049 751ed3 3046->3049 3048 75256d 15 API calls 3047->3048 3048->3049 3049->3045 3051 752026 3050->3051 3052 751ff0 RegOpenKeyExA 3050->3052 3051->2320 3052->3051 3053 75200f RegDeleteValueA RegCloseKey 3052->3053 3053->3051 3054 754ca0 GlobalAlloc 3163 756a20 __getmainargs 3164 7519e0 3165 751a24 GetDesktopWindow 3164->3165 3166 751a03 3164->3166 3167 7543d0 11 API calls 3165->3167 3168 751a20 3166->3168 3169 751a16 EndDialog 3166->3169 3170 751a33 LoadStringA SetDlgItemTextA MessageBeep 3167->3170 3171 756ce0 4 API calls 3168->3171 3169->3168 3170->3168 3172 751a7e 3171->3172 3173 756bef _XcptFilter 3055 754cd0 3056 754cf4 3055->3056 3057 754d0b 3055->3057 3058 754d02 3056->3058 3059 754b60 FindCloseChangeNotification 3056->3059 3057->3058 3061 754dcb 3057->3061 3064 754d25 3057->3064 3060 756ce0 4 API calls 3058->3060 3059->3058 3063 754e95 3060->3063 3062 754dd4 SetDlgItemTextA 3061->3062 3065 754de3 3061->3065 3062->3065 3064->3058 3078 754c37 3064->3078 3065->3058 3083 75476d 3065->3083 3069 754e38 3069->3058 3070 754980 25 API calls 3069->3070 3072 754e56 3070->3072 3071 754b60 FindCloseChangeNotification 3073 754d99 SetFileAttributesA 3071->3073 3072->3058 3074 754e64 3072->3074 3073->3058 3092 7547e0 LocalAlloc 3074->3092 3077 754e6f 3077->3058 3079 754c88 3078->3079 3080 754c4c DosDateTimeToFileTime 3078->3080 3079->3058 3079->3071 3080->3079 3081 754c5e LocalFileTimeToFileTime 3080->3081 3081->3079 3082 754c70 SetFileTime 3081->3082 3082->3079 3101 7566ae GetFileAttributesA 3083->3101 3085 75477b 3085->3069 3086 7547cc SetFileAttributesA 3088 7547db 3086->3088 3088->3069 3089 756517 24 API calls 3090 7547b1 3089->3090 3090->3086 3090->3088 3091 7547c2 3090->3091 3091->3086 3093 7547f6 3092->3093 3094 75480f LocalAlloc 3092->3094 3095 7544b9 20 API calls 3093->3095 3097 75480b 3094->3097 3098 754831 3094->3098 3095->3097 3097->3077 3099 7544b9 20 API calls 3098->3099 3100 754846 LocalFree 3099->3100 3100->3097 3102 754777 3101->3102 3102->3085 3102->3086 3102->3089 3103 754ad0 3111 753680 3103->3111 3106 754aee WriteFile 3108 754b0f 3106->3108 3109 754b14 3106->3109 3107 754ae9 3109->3108 3110 754b3b SendDlgItemMessageA 3109->3110 3110->3108 3112 753691 MsgWaitForMultipleObjects 3111->3112 3113 7536a9 PeekMessageA 3112->3113 3114 7536e8 3112->3114 3113->3112 3115 7536bc 3113->3115 3114->3106 3114->3107 3115->3112 3115->3114 3116 7536c7 DispatchMessageA 3115->3116 3117 7536d1 PeekMessageA 3115->3117 3116->3117 3117->3115 3174 753450 3175 7534d3 EndDialog 3174->3175 3176 75345e 3174->3176 3178 75346a 3175->3178 3177 75349a GetDesktopWindow 3176->3177 3182 753465 3176->3182 3179 7543d0 11 API calls 3177->3179 3180 7534ac SetWindowTextA SetDlgItemTextA SetForegroundWindow 3179->3180 3180->3178 3181 75348c EndDialog 3181->3178 3182->3178 3182->3181 3183 754a50 3184 754a66 3183->3184 3185 754a9f ReadFile 3183->3185 3186 754abb 3184->3186 3187 754a82 memcpy 3184->3187 3185->3186 3187->3186 3188 753210 3189 753227 3188->3189 3190 75328e EndDialog 3188->3190 3191 753235 3189->3191 3192 7533e2 GetDesktopWindow 3189->3192 3205 753239 3190->3205 3196 7532dd GetDlgItemTextA 3191->3196 3197 75324c 3191->3197 3191->3205 3194 7543d0 11 API calls 3192->3194 3195 7533f1 SetWindowTextA SendDlgItemMessageA 3194->3195 3198 75341f GetDlgItem EnableWindow 3195->3198 3195->3205 3206 7532fc 3196->3206 3221 753366 3196->3221 3199 7532c5 EndDialog 3197->3199 3200 753251 3197->3200 3198->3205 3199->3205 3201 75325c LoadStringA 3200->3201 3200->3205 3203 753294 3201->3203 3204 75327b 3201->3204 3202 7544b9 20 API calls 3202->3205 3226 754224 LoadLibraryA 3203->3226 3209 7544b9 20 API calls 3204->3209 3208 753331 GetFileAttributesA 3206->3208 3206->3221 3211 75337c 3208->3211 3212 75333f 3208->3212 3209->3190 3214 75658a CharPrevA 3211->3214 3215 7544b9 20 API calls 3212->3215 3213 7532a5 SetDlgItemTextA 3213->3204 3213->3205 3216 75338d 3214->3216 3217 753351 3215->3217 3218 7558c8 27 API calls 3216->3218 3217->3205 3219 75335a CreateDirectoryA 3217->3219 3220 753394 3218->3220 3219->3211 3219->3221 3220->3221 3222 7533a4 3220->3222 3221->3202 3223 7533c7 EndDialog 3222->3223 3224 75597d 34 API calls 3222->3224 3223->3205 3225 7533c3 3224->3225 3225->3205 3225->3223 3227 754246 GetProcAddress 3226->3227 3228 7543b2 3226->3228 3229 7543a4 FreeLibrary 3227->3229 3230 75425d GetProcAddress 3227->3230 3232 7544b9 20 API calls 3228->3232 3229->3228 3230->3229 3231 754274 GetProcAddress 3230->3231 3231->3229 3233 75428b 3231->3233 3234 75329d 3232->3234 3235 754295 GetTempPathA 3233->3235 3240 7542e1 3233->3240 3234->3205 3234->3213 3236 7542ad 3235->3236 3236->3236 3237 7542b4 CharPrevA 3236->3237 3238 7542d0 CharPrevA 3237->3238 3237->3240 3238->3240 3239 754390 FreeLibrary 3239->3234 3240->3239 3118 754cc0 GlobalFree 3241 756f40 SetUnhandledExceptionFilter 3242 753100 3243 7531b0 3242->3243 3246 753111 3242->3246 3244 7531b9 SendDlgItemMessageA 3243->3244 3245 753141 3243->3245 3244->3245 3248 75311d 3246->3248 3249 753149 GetDesktopWindow 3246->3249 3247 753138 EndDialog 3247->3245 3248->3245 3248->3247 3250 7543d0 11 API calls 3249->3250 3251 75315d 6 API calls 3250->3251 3251->3245 3252 754200 3253 75421e 3252->3253 3254 75420b SendMessageA 3252->3254 3254->3253 3255 754bc0 3256 754c05 3255->3256 3258 754bd7 3255->3258 3257 754c1b SetFilePointer 3256->3257 3256->3258 3257->3258 3259 7530c0 3260 7530de CallWindowProcA 3259->3260 3261 7530ce 3259->3261 3262 7530da 3260->3262 3261->3260 3261->3262 3263 7563c0 3264 756407 3263->3264 3265 75658a CharPrevA 3264->3265 3266 756415 CreateFileA 3265->3266 3267 756448 WriteFile 3266->3267 3268 75643a 3266->3268 3269 756465 CloseHandle 3267->3269 3271 756ce0 4 API calls 3268->3271 3269->3268 3272 75648f 3271->3272 3273 756c03 3274 756c17 _exit 3273->3274 3275 756c1e 3273->3275 3274->3275 3276 756c27 _cexit 3275->3276 3277 756c32 3275->3277 3276->3277

                                                                                                                                                                                                                  Callgraph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  • Opacity -> Relevance
                                                                                                                                                                                                                  • Disassembly available
                                                                                                                                                                                                                  callgraph 0 Function_00756C70 1 Function_00757270 2 Function_00752773 62 Function_00756CE0 2->62 111 Function_00751781 2->111 113 Function_00751680 2->113 119 Function_0075658A 2->119 3 Function_0075597D 3->62 89 Function_007544B9 3->89 109 Function_00756285 3->109 118 Function_0075268B 3->118 4 Function_0075667F 23 Function_00756648 4->23 5 Function_0075487A 48 Function_0075490C 5->48 6 Function_00755164 6->89 108 Function_00756298 6->108 116 Function_0075468F 6->116 7 Function_00755467 7->3 7->62 82 Function_007558C8 7->82 92 Function_007553A1 7->92 7->109 7->111 7->113 7->119 8 Function_00752267 41 Function_0075171E 8->41 8->62 8->119 9 Function_00754B60 10 Function_00756A60 11 Function_00757060 10->11 16 Function_00757155 10->16 22 Function_0075724D 10->22 27 Function_00756C3F 10->27 49 Function_00757208 10->49 56 Function_00752BFB 10->56 30 Function_00757120 11->30 36 Function_00757010 11->36 12 Function_00756760 13 Function_0075256D 63 Function_007524E0 13->63 14 Function_0075476D 35 Function_00756517 14->35 100 Function_007566AE 14->100 15 Function_00754169 15->89 15->116 17 Function_00756F54 17->22 17->49 18 Function_00753450 76 Function_007543D0 18->76 19 Function_00754A50 20 Function_00756952 21 Function_00756F40 24 Function_00754C37 25 Function_00752630 25->62 25->89 26 Function_00753A3F 26->35 26->89 26->109 26->116 28 Function_00754224 28->89 28->113 29 Function_00753B26 29->35 60 Function_00754FE0 29->60 29->108 31 Function_00756A20 32 Function_0075202A 32->41 32->62 32->89 32->119 33 Function_00756E2A 50 Function_00756CF0 33->50 34 Function_00755C17 35->89 37 Function_00753210 37->3 37->28 37->76 37->82 37->89 37->119 38 Function_00752F1D 38->6 38->13 38->15 38->26 38->29 40 Function_0075621E 38->40 57 Function_007551E5 38->57 38->62 38->89 94 Function_007555A0 38->94 97 Function_00753BA2 38->97 38->109 38->119 39 Function_0075681F 55 Function_007566F9 39->55 39->62 40->3 40->62 40->89 40->109 42 Function_0075411B 91 Function_00751EA7 42->91 43 Function_00753100 43->76 44 Function_00754200 45 Function_00757000 46 Function_00756C03 46->22 47 Function_00754702 87 Function_007516B3 47->87 47->113 51 Function_007534F0 51->76 51->89 114 Function_00753680 51->114 52 Function_00756EF0 53 Function_00754EFD 53->9 53->62 112 Function_00754980 53->112 54 Function_007570FE 56->38 85 Function_007552B6 56->85 101 Function_00752CAA 56->101 104 Function_00751F90 56->104 57->89 57->109 57->116 58 Function_00751FE1 59 Function_007547E0 59->89 59->113 60->53 60->89 60->116 61 Function_007531E0 62->50 63->62 63->119 64 Function_007519E0 64->62 64->76 65 Function_00753FEF 65->42 65->62 65->89 65->109 66 Function_007571EF 67 Function_00756BEF 68 Function_007536EE 68->39 68->62 71 Function_007528E8 68->71 81 Function_007567C9 68->81 68->89 117 Function_00752A89 68->117 69 Function_007517EE 69->62 70 Function_00751AE8 70->41 70->62 83 Function_007566C8 70->83 70->87 70->89 99 Function_00752AAC 70->99 110 Function_00751A84 70->110 70->111 70->113 70->119 71->2 71->117 72 Function_007565E8 73 Function_007570EB 74 Function_00754AD0 74->114 75 Function_00754CD0 75->9 75->14 75->24 75->47 75->59 75->62 107 Function_00754E99 75->107 75->112 76->62 77 Function_00754CC0 78 Function_00754BC0 79 Function_007530C0 80 Function_007563C0 80->62 80->111 80->119 105 Function_00756793 81->105 82->89 82->109 82->113 82->119 83->23 84 Function_007517C8 85->58 85->62 85->72 103 Function_00752390 85->103 85->111 86 Function_007569B0 86->0 86->45 86->66 88 Function_00756FBE 86->88 87->111 88->17 89->39 89->41 89->62 89->81 89->113 90 Function_00756FA5 90->22 91->13 92->41 92->62 92->113 92->119 93 Function_00756FA1 94->3 94->7 94->20 94->25 94->35 94->62 94->89 94->109 94->111 94->116 94->119 95 Function_00754CA0 96 Function_007518A3 96->62 96->69 97->8 97->32 97->62 97->65 97->70 97->89 102 Function_00756495 97->102 97->109 97->111 97->116 98 Function_007572A2 99->62 99->72 99->84 99->113 101->35 101->62 101->68 101->89 101->96 101->103 106 Function_00755C9E 101->106 101->116 102->62 102->111 102->119 103->62 103->87 103->103 103->113 103->119 104->62 104->89 104->91 106->4 106->33 106->34 106->61 106->62 106->83 106->89 106->113 106->119 107->113 108->41 108->62 110->4 112->5 112->89 113->111 115 Function_00756380 118->41 118->62 118->89 119->87

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 0075202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185registrylibrarymemoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00752050
                                                                                                                                                                                                                  • memset.MSVCRT ref: 0075205F
                                                                                                                                                                                                                  • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0075208C
                                                                                                                                                                                                                    • Part of subcall function 0075171E: _vsnprintf.MSVCRT ref: 00751750
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007520C9
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007520EA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00752103
                                                                                                                                                                                                                  • LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752122
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00752134
                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752144
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0075215B
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075218C
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007521C1
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007521E4
                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0075223D
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752249
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00752250
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                                                                                                                                                  • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                                                                                                                                  • API String ID: 178549006-3726664654
                                                                                                                                                                                                                  • Opcode ID: 0771bd97e218f9e7af29936048e58239318673d68e79ba04f201800ade96c3cb
                                                                                                                                                                                                                  • Instruction ID: 891f1ffe5e289a17553894e67904f86c7f4fab6b0170b7bd2a6d1b23f928b21a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0771bd97e218f9e7af29936048e58239318673d68e79ba04f201800ade96c3cb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9051D871900218BBDB209B64DC49FFB7738EB45702F0042A4BE49A7191EEF99D4D8A65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 36 753ba2-753bd9 37 753bfd-753bff 36->37 38 753bdb-753bee call 75468f 36->38 40 753c03-753c28 memset 37->40 45 753bf4-753bf7 38->45 46 753d13-753d30 call 7544b9 38->46 41 753d35-753d48 call 751781 40->41 42 753c2e-753c40 call 75468f 40->42 50 753d4d-753d52 41->50 42->46 53 753c46-753c49 42->53 45->37 45->46 58 753f4d 46->58 51 753d54-753d6c call 75468f 50->51 52 753d9e-753db6 call 751ae8 50->52 51->46 65 753d6e-753d75 51->65 52->58 69 753dbc-753dc2 52->69 53->46 56 753c4f-753c56 53->56 61 753c60-753c65 56->61 62 753c58-753c5e 56->62 59 753f4f-753f63 call 756ce0 58->59 67 753c75-753c7c 61->67 68 753c67-753c6d 61->68 66 753c6e-753c73 62->66 71 753d7b-753d98 CompareStringA 65->71 72 753fda-753fe1 65->72 73 753c87-753c89 66->73 67->73 76 753c7e-753c82 67->76 68->66 74 753dc4-753dce 69->74 75 753de6-753de8 69->75 71->52 71->72 77 753fe3 call 752267 72->77 78 753fe8-753fea 72->78 73->50 80 753c8f-753c98 73->80 74->75 79 753dd0-753dd7 74->79 81 753dee-753df5 75->81 82 753f0b-753f15 call 753fef 75->82 76->73 77->78 78->59 79->75 87 753dd9-753ddb 79->87 88 753cf1-753cf3 80->88 89 753c9a-753c9c 80->89 83 753fab-753fd2 call 7544b9 LocalFree 81->83 84 753dfb-753dfd 81->84 92 753f1a-753f1c 82->92 83->58 84->82 90 753e03-753e0a 84->90 87->81 93 753ddd-753de1 call 75202a 87->93 88->52 91 753cf9-753d11 call 75468f 88->91 95 753ca5-753ca7 89->95 96 753c9e-753ca3 89->96 90->82 98 753e10-753e19 call 756495 90->98 91->46 91->50 100 753f46-753f47 LocalFree 92->100 101 753f1e-753f2d LocalFree 92->101 93->75 95->58 97 753cad 95->97 104 753cb2-753cc5 call 75468f 96->104 97->104 113 753f92-753fa9 call 7544b9 98->113 114 753e1f-753e36 GetProcAddress 98->114 100->58 108 753fd7-753fd9 101->108 109 753f33-753f3b 101->109 104->46 112 753cc7-753ce8 CompareStringA 104->112 108->72 109->40 112->88 115 753cea-753ced 112->115 126 753f7c-753f90 LocalFree call 756285 113->126 116 753f64-753f76 call 7544b9 FreeLibrary 114->116 117 753e3c-753e80 114->117 115->88 116->126 120 753e82-753e87 117->120 121 753e8b-753e94 117->121 120->121 124 753e96-753e9b 121->124 125 753e9f-753ea2 121->125 124->125 128 753ea4-753ea9 125->128 129 753ead-753eb6 125->129 126->58 128->129 131 753ec1-753ec3 129->131 132 753eb8-753ebd 129->132 133 753ec5-753eca 131->133 134 753ece-753eec 131->134 132->131 133->134 137 753ef5-753efd 134->137 138 753eee-753ef3 134->138 139 753f40 FreeLibrary 137->139 140 753eff-753f09 FreeLibrary 137->140 138->137 139->100 140->101
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00753C11
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00753CDC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00758C42), ref: 00753D8F
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00753E26
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00758C42), ref: 00753EFF
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00758C42), ref: 00753F1F
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00758C42), ref: 00753F40
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00758C42), ref: 00753F47
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00758C42), ref: 00753F76
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00758C42), ref: 00753F80
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00758C42), ref: 00753FC2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                                                                                                                                  • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$smo
                                                                                                                                                                                                                  • API String ID: 1032054927-2222961441
                                                                                                                                                                                                                  • Opcode ID: 3f360d2c9e9c03f745c9bf1421a37ad4b9bea7a748ce9ebf3f2691759c2301a4
                                                                                                                                                                                                                  • Instruction ID: 517b85bc2a348d7afd356f9e3abe6994fff5bd82a7f5e7ae3f2b618a8311d540
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f360d2c9e9c03f745c9bf1421a37ad4b9bea7a748ce9ebf3f2691759c2301a4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2B1C470A04301DBE7209F248845BEA76F4EB84797F10492DFE85D61E1EBFC8949CB66
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00751AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 141 751ae8-751b2c call 751680 144 751b2e-751b39 141->144 145 751b3b-751b40 141->145 146 751b46-751b61 call 751a84 144->146 145->146 149 751b63-751b65 146->149 150 751b9f-751bc2 call 751781 call 75658a 146->150 152 751b68-751b6d 149->152 157 751bc7-751bd3 call 7566c8 150->157 152->152 154 751b6f-751b74 152->154 154->150 156 751b76-751b7b 154->156 158 751b83-751b86 156->158 159 751b7d-751b81 156->159 165 751d73-751d7f call 7566c8 157->165 166 751bd9-751bf1 CompareStringA 157->166 158->150 162 751b88-751b8a 158->162 159->158 161 751b8c-751b9d call 751680 159->161 161->157 162->150 162->161 175 751d81-751d99 CompareStringA 165->175 176 751df8-751e09 LocalAlloc 165->176 166->165 168 751bf7-751c07 GetFileAttributesA 166->168 170 751d53-751d5e 168->170 171 751c0d-751c15 168->171 173 751d64-751d6e call 7544b9 170->173 171->170 174 751c1b-751c33 call 751a84 171->174 188 751e94-751ea4 call 756ce0 173->188 190 751c35-751c38 174->190 191 751c50-751c61 LocalAlloc 174->191 175->176 181 751d9b-751da2 175->181 178 751dd4-751ddf 176->178 179 751e0b-751e1b GetFileAttributesA 176->179 178->173 183 751e67-751e73 call 751680 179->183 184 751e1d-751e1f 179->184 186 751da5-751daa 181->186 194 751e78-751e84 call 752aac 183->194 184->183 189 751e21-751e3e call 751781 184->189 186->186 192 751dac-751db4 186->192 189->194 211 751e40-751e43 189->211 197 751c40-751c4b call 751a84 190->197 198 751c3a 190->198 191->178 193 751c67-751c72 191->193 199 751db7-751dbc 192->199 202 751c74 193->202 203 751c79-751cc0 GetPrivateProfileIntA GetPrivateProfileStringA 193->203 210 751e89-751e92 194->210 197->191 198->197 199->199 201 751dbe-751dd2 LocalAlloc 199->201 201->178 207 751de1-751df3 call 75171e 201->207 202->203 208 751cc2-751ccc 203->208 209 751cf8-751d07 203->209 207->210 213 751cd3-751cf3 call 751680 * 2 208->213 214 751cce 208->214 216 751d23 209->216 217 751d09-751d21 GetShortPathNameA 209->217 210->188 211->194 215 751e45-751e65 call 7516b3 * 2 211->215 213->210 214->213 215->194 221 751d28-751d2b 216->221 217->221 222 751d32-751d4e call 75171e 221->222 223 751d2d 221->223 222->210 223->222
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00751BE7
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00751BFE
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00751C57
                                                                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00751C88
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00751140,00000000,00000008,?), ref: 00751CB8
                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00751D1B
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                                                                                                                                  • String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                                                                                                                  • API String ID: 383838535-2280873615
                                                                                                                                                                                                                  • Opcode ID: ae1383ff7d324d483b4bc55ca9fff2edc875971453acfa0149ef6035d91f0a51
                                                                                                                                                                                                                  • Instruction ID: ad08c04dd6b5ea8ce17f4cf9ad2baeaac14ce60d2c0aa5cfa660ccf9d092bcc6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae1383ff7d324d483b4bc55ca9fff2edc875971453acfa0149ef6035d91f0a51
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2A128B0A00318ABEB209B24CC45FEA7769DB45313F9442A8ED55A32C1DBFC9D8DCB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075597D Relevance: 19.7, APIs: 13, Instructions: 212windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 384 75597d-7559b9 GetCurrentDirectoryA SetCurrentDirectoryA 385 7559dd-755a1b GetDiskFreeSpaceA 384->385 386 7559bb-7559d8 call 7544b9 call 756285 384->386 388 755ba1-755bde memset call 756285 GetLastError FormatMessageA 385->388 389 755a21-755a4a MulDiv 385->389 405 755c05-755c14 call 756ce0 386->405 399 755be3-755bfc call 7544b9 SetCurrentDirectoryA 388->399 389->388 392 755a50-755a6c GetVolumeInformationA 389->392 395 755ab5-755aca SetCurrentDirectoryA 392->395 396 755a6e-755ab0 memset call 756285 GetLastError FormatMessageA 392->396 397 755acc-755ad1 395->397 396->399 403 755ad3-755ad8 397->403 404 755ae2-755ae4 397->404 411 755c02 399->411 403->404 407 755ada-755ae0 403->407 409 755ae7-755af8 404->409 410 755ae6 404->410 407->397 407->404 413 755af9-755afb 409->413 410->409 414 755c04 411->414 415 755b05-755b08 413->415 416 755afd-755b03 413->416 414->405 417 755b20-755b27 415->417 418 755b0a-755b1b call 7544b9 415->418 416->413 416->415 420 755b52-755b5b 417->420 421 755b29-755b33 417->421 418->411 423 755b62-755b6d 420->423 421->420 422 755b35-755b50 421->422 422->423 425 755b76-755b7d 423->425 426 755b6f-755b74 423->426 428 755b83 425->428 429 755b7f-755b81 425->429 427 755b85 426->427 430 755b87-755b94 call 75268b 427->430 431 755b96-755b9f 427->431 428->427 429->427 430->414 431->414
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 007559A8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 007559AF
                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00755A13
                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,?,00000400), ref: 00755A40
                                                                                                                                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00755A64
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00755A7C
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00755A98
                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00755AA5
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00755BFC
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                    • Part of subcall function 00756285: GetLastError.KERNEL32(00755BBC), ref: 00756285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4237285672-0
                                                                                                                                                                                                                  • Opcode ID: fdd565cd73cb9040f4fd6d9240699bc14fb0eb1d8ba70679e695f709a2915a88
                                                                                                                                                                                                                  • Instruction ID: 0c3091e5bc5685661f89dc9264a06300e076f6e6a2e7dbed165c13476053fc4b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fdd565cd73cb9040f4fd6d9240699bc14fb0eb1d8ba70679e695f709a2915a88
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1271ABB150071CAFDB159B64CC99FFB77BCEB48302F4481A9F905D2140EAB89E49CB24
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 434 754fe0-75501a call 75468f FindResourceA LoadResource LockResource 437 755161-755163 434->437 438 755020-755027 434->438 439 755057-75505e call 754efd 438->439 440 755029-755051 GetDlgItem ShowWindow GetDlgItem ShowWindow 438->440 443 755060-755077 call 7544b9 439->443 444 75507c-7550b4 439->444 440->439 450 755107-75510e 443->450 448 7550b6-7550da 444->448 449 7550e8-755104 call 7544b9 444->449 461 755106 448->461 462 7550dc 448->462 449->461 452 755110-755117 FreeResource 450->452 453 75511d-75511f 450->453 452->453 456 755121-755127 453->456 457 75513a-755141 453->457 456->457 458 755129-755135 call 7544b9 456->458 459 755143-75514a 457->459 460 75515f 457->460 458->457 459->460 464 75514c-755159 SendMessageA 459->464 460->437 461->450 465 7550e3-7550e6 462->465 464->460 465->449 465->461
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00754FFE
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 00755006
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0075500D
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000000,00000842), ref: 00755030
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00755037
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000841,00000005), ref: 0075504A
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00755051
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00755111
                                                                                                                                                                                                                  • SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00755159
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: *MEMCAB$CABINET
                                                                                                                                                                                                                  • API String ID: 1305606123-2642027498
                                                                                                                                                                                                                  • Opcode ID: 73d7e67f556a92d92f469080fa2c8ab4ff8fd893ee2a1d8dc7a3aa891f4f74aa
                                                                                                                                                                                                                  • Instruction ID: 6809f92193ca96005137d44676a2eea0034c2ca6d250e38a239c002776b871f2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 73d7e67f556a92d92f469080fa2c8ab4ff8fd893ee2a1d8dc7a3aa891f4f74aa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3431FCB0640B19BBE7205B619C9EFE73A5CB74475BF048134FE05A21E1EBFC8C448A69
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120libraryfileloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 510 752f1d-752f3d 511 752f6c-752f73 call 755164 510->511 512 752f3f-752f46 510->512 520 753041 511->520 521 752f79-752f80 call 7555a0 511->521 514 752f5f-752f66 call 753a3f 512->514 515 752f48 call 7551e5 512->515 514->511 514->520 522 752f4d-752f4f 515->522 524 753043-753053 call 756ce0 520->524 521->520 528 752f86-752fbe GetSystemDirectoryA call 75658a LoadLibraryA 521->528 522->520 525 752f55-752f5d 522->525 525->511 525->514 532 752ff7-753004 FreeLibrary 528->532 533 752fc0-752fd4 GetProcAddress 528->533 534 753017-753024 SetCurrentDirectoryA 532->534 535 753006-75300c 532->535 533->532 536 752fd6-752fee DecryptFileA 533->536 538 753054-75305a 534->538 539 753026-75303c call 7544b9 call 756285 534->539 535->534 537 75300e call 75621e 535->537 536->532 550 752ff0-752ff5 536->550 548 753013-753015 537->548 540 753065-75306c 538->540 541 75305c call 753b26 538->541 539->520 546 75307c-753089 540->546 547 75306e-753075 call 75256d 540->547 551 753061-753063 541->551 553 7530a1-7530a9 546->553 554 75308b-753091 546->554 556 75307a 547->556 548->520 548->534 550->532 551->520 551->540 559 7530b4-7530b7 553->559 560 7530ab-7530ad 553->560 554->553 557 753093 call 753ba2 554->557 556->546 564 753098-75309a 557->564 559->524 560->559 562 7530af call 754169 560->562 562->559 564->520 565 75309c 564->565 565->553
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00752F93
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00752FB2
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00752FC6
                                                                                                                                                                                                                  • DecryptFileA.ADVAPI32 ref: 00752FE6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00752FF8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0075301C
                                                                                                                                                                                                                    • Part of subcall function 007551E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F4D,?,00000002,00000000), ref: 00755201
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 2126469477-1173327654
                                                                                                                                                                                                                  • Opcode ID: b40f560039b9097c440b2accf0e148bd7e92a4c8661240773f28edad9a424753
                                                                                                                                                                                                                  • Instruction ID: 3bb2c5e70ba2b16ac8d4cbbfaab6f73fe00b7cdb277f5b00dbc2aa5a367a9622
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b40f560039b9097c440b2accf0e148bd7e92a4c8661240773f28edad9a424753
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0741E931A00309DBDB70AB71AC496E637A99B44793F008165AD09D21E1FFFCCE8DCA65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00755467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 582 755467-755484 583 75551c-755528 call 751680 582->583 584 75548a-755490 call 7553a1 582->584 588 75552d-755539 call 7558c8 583->588 587 755495-755497 584->587 589 755581-755583 587->589 590 75549d-7554c0 call 751781 587->590 597 75554d-755552 588->597 598 75553b-755545 CreateDirectoryA 588->598 592 75558d-75559d call 756ce0 589->592 599 7554c2-7554d8 GetSystemInfo 590->599 600 75550c-75551a call 75658a 590->600 604 755585-75558b 597->604 605 755554-755557 call 75597d 597->605 602 755577-75557c call 756285 598->602 603 755547 598->603 608 7554fe 599->608 609 7554da-7554dd 599->609 600->588 602->589 603->597 604->592 615 75555c-75555e 605->615 616 755503-755507 call 75658a 608->616 613 7554f7-7554fc 609->613 614 7554df-7554e2 609->614 613->616 617 7554e4-7554e7 614->617 618 7554f0-7554f5 614->618 615->604 619 755560-755566 615->619 616->600 617->600 621 7554e9-7554ee 617->621 618->616 619->589 622 755568-755575 RemoveDirectoryA 619->622 621->616 622->589
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 007554C9
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075553D
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075556F
                                                                                                                                                                                                                    • Part of subcall function 007553A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 007553FB
                                                                                                                                                                                                                    • Part of subcall function 007553A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755402
                                                                                                                                                                                                                    • Part of subcall function 007553A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075541F
                                                                                                                                                                                                                    • Part of subcall function 007553A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075542B
                                                                                                                                                                                                                    • Part of subcall function 007553A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755434
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                                                                                                                                  • API String ID: 1979080616-3374052426
                                                                                                                                                                                                                  • Opcode ID: c2411734195dee2e329cbbe97a576a370259ece6ae408974b582528df24254bc
                                                                                                                                                                                                                  • Instruction ID: 4636e1e52559abde38c5298f3a298211b5aecf2e3663e1113ad1c2f072ecbc20
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2411734195dee2e329cbbe97a576a370259ece6ae408974b582528df24254bc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47312871B00B14E7DB109B259C286FE779BAB81303B54412AAD06D2550FEFC8E1D8695
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752390 Relevance: 12.1, APIs: 8, Instructions: 93filestringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,00758A3A,007511F4,00758A3A,00000000,?,?), ref: 007523F6
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,007511F8), ref: 00752427
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,007511FC), ref: 0075243B
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00752495
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 007524A3
                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(00000000,00000010), ref: 007524AF
                                                                                                                                                                                                                  • FindClose.KERNELBASE(00000000), ref: 007524BE
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(00758A3A), ref: 007524C5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836429354-0
                                                                                                                                                                                                                  • Opcode ID: e292760ce402de1ab3f2161cd6d7cde379fd003b7bc1e53c3d0de749e0a50c5e
                                                                                                                                                                                                                  • Instruction ID: 2af81b11dc957ab9abccd2f26dc1ea56a8d5fe972afd0be8bce4bf6d65889495
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e292760ce402de1ab3f2161cd6d7cde379fd003b7bc1e53c3d0de749e0a50c5e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82316231604744EBD320DB64CC8DAEB73A8AB85307F44493DB95986191EFBC9D0E8766
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersion.KERNEL32(?,00000002,00000000,?,00756BB0,00750000,00000000,00000002,0000000A), ref: 00752C03
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(Kernel32.dll,?,00756BB0,00750000,00000000,00000002,0000000A), ref: 00752C18
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00752C28
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00756BB0,00750000,00000000,00000002,0000000A), ref: 00752C98
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Handle$AddressCloseModuleProcVersion
                                                                                                                                                                                                                  • String ID: HeapSetInformation$Kernel32.dll
                                                                                                                                                                                                                  • API String ID: 62482547-3460614246
                                                                                                                                                                                                                  • Opcode ID: 0556eaea33e836a394424f145584da00888399da8c9555207bcd5250805fa3ca
                                                                                                                                                                                                                  • Instruction ID: e742f83a0b5e6863c88fd45d32dd9ab851b18e76a5edf0c14bbd83853ce2933c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0556eaea33e836a394424f145584da00888399da8c9555207bcd5250805fa3ca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE11E771300305ABE7106B75AC49AEE3759AB46353F048125BD04D3293DEEDDC0B8679
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007555A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 232 7555a0-7555d9 call 75468f LocalAlloc 235 7555fd-75560c call 75468f 232->235 236 7555db-7555f1 call 7544b9 call 756285 232->236 242 755632-755643 lstrcmpA 235->242 243 75560e-755630 call 7544b9 LocalFree 235->243 251 7555f6-7555f8 236->251 244 755645 242->244 245 75564b-755659 LocalFree 242->245 243->251 244->245 249 755696-75569c 245->249 250 75565b-75565d 245->250 255 7556a2-7556a8 249->255 256 75589f-7558b5 call 756517 249->256 252 75565f-755667 250->252 253 755669 250->253 254 7558b7-7558c7 call 756ce0 251->254 252->253 257 75566b-75567a call 755467 252->257 253->257 255->256 260 7556ae-7556c1 GetTempPathA 255->260 256->254 270 755680-755691 call 7544b9 257->270 271 75589b-75589d 257->271 261 7556f3-755711 call 751781 260->261 262 7556c3-7556c9 call 755467 260->262 275 755717-755729 GetDriveTypeA 261->275 276 75586c-755890 GetWindowsDirectoryA call 75597d 261->276 269 7556ce-7556d0 262->269 269->271 273 7556d6-7556df call 752630 269->273 270->251 271->254 273->261 288 7556e1-7556ed call 755467 273->288 280 755730-755740 GetFileAttributesA 275->280 281 75572b-75572e 275->281 276->261 289 755896 276->289 284 755742-755745 280->284 285 75577e-75578f call 75597d 280->285 281->280 281->284 286 755747-75574f 284->286 287 75576b 284->287 298 755791-75579e call 752630 285->298 299 7557b2-7557bf call 752630 285->299 291 755771-755779 286->291 292 755751-755753 286->292 287->291 288->261 288->271 289->271 296 755864-755866 291->296 292->291 295 755755-755762 call 756952 292->295 295->287 308 755764-755769 295->308 296->275 296->276 298->287 309 7557a0-7557b0 call 75597d 298->309 306 7557c1-7557cd GetWindowsDirectoryA 299->306 307 7557d3-7557f8 call 75658a GetFileAttributesA 299->307 306->307 314 75580a 307->314 315 7557fa-755808 CreateDirectoryA 307->315 308->285 308->287 309->287 309->299 316 75580d-75580f 314->316 315->316 317 755827-75585c SetFileAttributesA call 751781 call 755467 316->317 318 755811-755825 316->318 317->271 323 75585e 317->323 318->296 323->296
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 007555CF
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00755638
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0075564C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00755620
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                    • Part of subcall function 00756285: GetLastError.KERNEL32(00755BBC), ref: 00756285
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 007556B9
                                                                                                                                                                                                                  • GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0075571E
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00755737
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 007557CD
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 007557EF
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00755802
                                                                                                                                                                                                                    • Part of subcall function 00752630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00752654
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00755830
                                                                                                                                                                                                                    • Part of subcall function 00756517: FindResourceA.KERNEL32(00750000,000007D6,00000005), ref: 0075652A
                                                                                                                                                                                                                    • Part of subcall function 00756517: LoadResource.KERNEL32(00750000,00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00756538
                                                                                                                                                                                                                    • Part of subcall function 00756517: DialogBoxIndirectParamA.USER32(00750000,00000000,00000547,007519E0,00000000), ref: 00756557
                                                                                                                                                                                                                    • Part of subcall function 00756517: FreeResource.KERNEL32(00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00756560
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00755878
                                                                                                                                                                                                                    • Part of subcall function 0075597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 007559A8
                                                                                                                                                                                                                    • Part of subcall function 0075597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 007559AF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                                                                                                                  • API String ID: 2436801531-2740620654
                                                                                                                                                                                                                  • Opcode ID: 1f5fe1854ab72b0f66ed855c332753bfa63558fd6c2a8bde9ef57b939c35ef22
                                                                                                                                                                                                                  • Instruction ID: 96b44cee95c8bcf7ba69801bfa9a9349d211f373416ce92c9d7e2369532c9831
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f5fe1854ab72b0f66ed855c332753bfa63558fd6c2a8bde9ef57b939c35ef22
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E98148B0A04A48EBDB209B308C65BEA726D9F64303F404565FD86D2191EFFC9DCE8A14
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183synchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 324 752caa-752d1c memset * 3 call 75468f 327 752ef3 324->327 328 752d22-752d27 324->328 330 752ef8-752f01 call 7544b9 327->330 328->327 329 752d2d-752d59 CreateEventA SetEvent call 75468f 328->329 335 752d7d-752d84 329->335 336 752d5b-752d78 call 7544b9 329->336 334 752f06 330->334 337 752f08-752f18 call 756ce0 334->337 339 752e1f-752e2e call 755c9e 335->339 340 752d8a-752da1 call 75468f 335->340 336->334 348 752e30-752e35 339->348 349 752e3a-752e41 339->349 340->336 350 752da3-752dbb CreateMutexA 340->350 348->330 351 752e43-752e4d call 752390 349->351 352 752e52-752e62 FindResourceA 349->352 350->339 353 752dbd-752dc8 GetLastError 350->353 351->334 356 752e64-752e6c LoadResource 352->356 357 752e6e-752e75 352->357 353->339 355 752dca-752dd3 353->355 359 752dd5-752de8 call 7544b9 355->359 360 752dea-752e02 call 7544b9 355->360 356->357 361 752e77 357->361 362 752e7d-752e84 357->362 370 752e04-752e1a CloseHandle 359->370 360->339 360->370 361->362 364 752e86-752e89 362->364 365 752e8b-752e94 call 7536ee 362->365 364->337 365->334 372 752e96-752ea2 365->372 370->334 373 752ea4-752ea8 372->373 374 752eb0-752eba 372->374 373->374 375 752eaa-752eae 373->375 376 752ebc-752ec3 374->376 377 752eef-752ef1 374->377 375->374 375->377 376->377 378 752ec5-752ecc call 7518a3 376->378 377->337 378->377 381 752ece-752eed call 756517 378->381 381->334 381->377
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00752CD9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00752CE9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00752CF9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00752D34
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00752D40
                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00752DAE
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00752DBD
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(smo,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00752E0A
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$smo
                                                                                                                                                                                                                  • API String ID: 1002816675-4137116347
                                                                                                                                                                                                                  • Opcode ID: 6021997d44e456aeaa79f105088a57d2a6df43a26c9156a8e135b55fec823398
                                                                                                                                                                                                                  • Instruction ID: e840b409f006fe4f49f94063d654813b66edba17bcd11780c1dccff59e80c3d3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6021997d44e456aeaa79f105088a57d2a6df43a26c9156a8e135b55fec823398
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8751D570340305E7E75467359C0FBFA2698E746713F408039BE46D51D2EEEC8C4AC62A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007544B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160memorywindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 466 7544b9-7544f8 467 7544fe-754525 LoadStringA 466->467 468 754679-75467b 466->468 470 754527-75452e call 75681f 467->470 471 754562-754568 467->471 469 75467c-75468c call 756ce0 468->469 478 754530-75453d call 7567c9 470->478 479 75453f 470->479 473 75456b-754570 471->473 473->473 477 754572-75457c 473->477 480 75457e-754580 477->480 481 7545c9-7545cb 477->481 478->479 485 754544-754554 MessageBoxA 478->485 479->485 486 754583-754588 480->486 483 754607-754617 LocalAlloc 481->483 484 7545cd-7545cf 481->484 489 75455a-75455d 483->489 490 75461d-754628 call 751680 483->490 488 7545d2-7545d7 484->488 485->489 486->486 491 75458a-75458c 486->491 488->488 492 7545d9-7545ed LocalAlloc 488->492 489->469 496 75462d-75463d MessageBeep call 75681f 490->496 494 75458f-754594 491->494 492->489 495 7545f3-754605 call 75171e 492->495 494->494 497 754596-7545ad LocalAlloc 494->497 495->496 505 75463f-75464c call 7567c9 496->505 506 75464e 496->506 497->489 500 7545af-7545c7 call 75171e 497->500 500->496 505->506 508 754653-754677 MessageBoxA LocalFree 505->508 506->508 508->469
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 007545A3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 007545E3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 0075460D
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00754630
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,00000000,smo,00000000), ref: 00754666
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0075466F
                                                                                                                                                                                                                    • Part of subcall function 0075681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0075686E
                                                                                                                                                                                                                    • Part of subcall function 0075681F: GetSystemMetrics.USER32(0000004A), ref: 007568A7
                                                                                                                                                                                                                    • Part of subcall function 0075681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 007568CC
                                                                                                                                                                                                                    • Part of subcall function 0075681F: RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,?,0000000C), ref: 007568F4
                                                                                                                                                                                                                    • Part of subcall function 0075681F: RegCloseKey.ADVAPI32(?), ref: 00756902
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
                                                                                                                                                                                                                  • String ID: LoadString() Error. Could not load string resource.$smo
                                                                                                                                                                                                                  • API String ID: 3244514340-2161240188
                                                                                                                                                                                                                  • Opcode ID: 5ac8ee35aecc73e2d290af93041050905ccef2b93d07e314fd63c37bd1450de8
                                                                                                                                                                                                                  • Instruction ID: b14b5cb6194c7ac9baa0e27cfa54238e27e9462df2b271c0ce948e8dd950e806
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ac8ee35aecc73e2d290af93041050905ccef2b93d07e314fd63c37bd1450de8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54510871900219ABDB219F28CC48BE67BB8EF45306F1041A4FD09A7241DBB9DD4DCBA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007553A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075171E: _vsnprintf.MSVCRT ref: 00751750
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 007553FB
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755402
                                                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075541F
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075542B
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755434
                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755452
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
                                                                                                                                                                                                                  • API String ID: 1082909758-775753704
                                                                                                                                                                                                                  • Opcode ID: 49d4dbde124e7d73cbe9174b2529d800f20a3e710d7b61985b831253f30f940e
                                                                                                                                                                                                                  • Instruction ID: 4b395180ef421af238de1ff4005c9ed761ecbfa16a27a883d408ee17747fef79
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49d4dbde124e7d73cbe9174b2529d800f20a3e710d7b61985b831253f30f940e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6211C871700604B7D3109B269C49FEF766DDBC5713F504125BA4AD21D0DEFC8D8A86A6
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 623 75256d-75257d 624 752583-752589 623->624 625 752622-752627 call 7524e0 623->625 626 7525e8-752607 RegOpenKeyExA 624->626 627 75258b 624->627 630 752629-75262f 625->630 631 7525e3-7525e6 626->631 632 752609-752620 RegQueryInfoKeyA 626->632 629 752591-752595 627->629 627->630 629->630 634 75259b-7525ba RegOpenKeyExA 629->634 631->630 635 7525d1-7525dd RegCloseKey 632->635 634->631 636 7525bc-7525cb RegQueryValueExA 634->636 635->631 636->635
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00754096,00754096,?,00751ED3,00000001,00000000,?,?,00754137,?), ref: 007525B2
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00754096,?,00751ED3,00000001,00000000,?,?,00754137,?,00754096), ref: 007525CB
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,00751ED3,00000001,00000000,?,?,00754137,?,00754096), ref: 007525DD
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00754096,00754096,?,00751ED3,00000001,00000000,?,?,00754137,?), ref: 007525FF
                                                                                                                                                                                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00754096,00000000,00000000,00000000,00000000,?,00751ED3,00000001,00000000), ref: 0075261A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager, xrefs: 007525A8
                                                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 007525C3
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 007525F5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: OpenQuery$CloseInfoValue
                                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                                                                                                                                  • API String ID: 2209512893-559176071
                                                                                                                                                                                                                  • Opcode ID: bc1cbfea53a31db6bc6a067a2b7221dea148fb33a3bdd40e0dc533f63bd13611
                                                                                                                                                                                                                  • Instruction ID: df1d72bfc6dd62d0a52c523f937e0d07ae1831f0a56a8e7ef2811e06f75dda1d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc1cbfea53a31db6bc6a067a2b7221dea148fb33a3bdd40e0dc533f63bd13611
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D118675912228FB9B209B919C09DFB7F7CEF027A3F5041A5BC08A2041E6B94E49D6A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756A60 Relevance: 13.6, APIs: 9, Instructions: 138sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 637 756a60-756a91 call 757155 call 757208 GetStartupInfoW 643 756a93-756aa2 637->643 644 756aa4-756aa6 643->644 645 756abc-756abe 643->645 646 756aaf-756aba Sleep 644->646 647 756aa8-756aad 644->647 648 756abf-756ac5 645->648 646->643 647->648 649 756ac7-756acf _amsg_exit 648->649 650 756ad1-756ad7 648->650 651 756b0b-756b11 649->651 652 756b05 650->652 653 756ad9-756af2 call 756c3f 650->653 654 756b13-756b24 _initterm 651->654 655 756b2e-756b30 651->655 652->651 653->651 662 756af4-756b00 653->662 654->655 657 756b32-756b39 655->657 658 756b3b-756b42 655->658 657->658 660 756b44-756b51 call 757060 658->660 661 756b67-756b71 658->661 660->661 671 756b53-756b65 660->671 664 756b74-756b79 661->664 665 756c39-756c3e call 75724d 662->665 668 756bc5-756bc8 664->668 669 756b7b-756b7d 664->669 672 756bd6-756be3 _ismbblead 668->672 673 756bca-756bd3 668->673 674 756b94-756b98 669->674 675 756b7f-756b81 669->675 671->661 679 756be5-756be6 672->679 680 756be9-756bed 672->680 673->672 677 756ba0-756ba2 674->677 678 756b9a-756b9e 674->678 675->668 676 756b83-756b85 675->676 676->674 681 756b87-756b8a 676->681 682 756ba3-756bbc call 752bfb 677->682 678->682 679->680 680->664 681->674 684 756b8c-756b92 681->684 687 756c1e-756c25 682->687 688 756bbe-756bbf exit 682->688 684->676 689 756c27-756c2d _cexit 687->689 690 756c32 687->690 688->668 689->690 690->665
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00757155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00757182
                                                                                                                                                                                                                    • Part of subcall function 00757155: GetCurrentProcessId.KERNEL32 ref: 00757191
                                                                                                                                                                                                                    • Part of subcall function 00757155: GetCurrentThreadId.KERNEL32 ref: 0075719A
                                                                                                                                                                                                                    • Part of subcall function 00757155: GetTickCount.KERNEL32 ref: 007571A3
                                                                                                                                                                                                                    • Part of subcall function 00757155: QueryPerformanceCounter.KERNEL32(?), ref: 007571B8
                                                                                                                                                                                                                  • GetStartupInfoW.KERNEL32(?,007572B8,00000058), ref: 00756A7F
                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 00756AB4
                                                                                                                                                                                                                  • _amsg_exit.MSVCRT ref: 00756AC9
                                                                                                                                                                                                                  • _initterm.MSVCRT ref: 00756B1D
                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00756B49
                                                                                                                                                                                                                  • exit.KERNELBASE ref: 00756BBF
                                                                                                                                                                                                                  • _ismbblead.MSVCRT ref: 00756BDA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836923961-0
                                                                                                                                                                                                                  • Opcode ID: 667583a467749fa20c038aae62acc1977ea202363405cac183ef8d293e96876b
                                                                                                                                                                                                                  • Instruction ID: c7f00c09022c440fbadb353a26edb8f48eeef1e0287f004ce15d19883660730f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 667583a467749fa20c038aae62acc1977ea202363405cac183ef8d293e96876b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9941D2B0904369DBDB619B6498057EA77B0FB44723FA4812AEC41E7290CFFC5C49CB96
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007558C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74memoryfileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 691 7558c8-7558d5 692 7558d8-7558dd 691->692 692->692 693 7558df-7558f1 LocalAlloc 692->693 694 7558f3-755901 call 7544b9 693->694 695 755919-755959 call 751680 call 75658a CreateFileA LocalFree 693->695 699 755906-755910 call 756285 694->699 695->699 704 75595b-75596c CloseHandle GetFileAttributesA 695->704 705 755912-755918 699->705 704->699 706 75596e-755970 704->706 706->699 707 755972-75597b 706->707 707->705
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00755534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 007558E7
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00755534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755943
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00755534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075594D
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00755534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0075595C
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00755534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00755963
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
                                                                                                                                                                                                                  • API String ID: 747627703-1664176527
                                                                                                                                                                                                                  • Opcode ID: 9fdbc0eeb288a16a232e4456292e05e382fe9b89c210d4c38dcfe760b3e5846e
                                                                                                                                                                                                                  • Instruction ID: c31f74fb48f2ccf7568b96fdbcdfce3b724fff2ebfec3276e3e7c6beb8fdcb7b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fdbc0eeb288a16a232e4456292e05e382fe9b89c210d4c38dcfe760b3e5846e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65113331600320BBD7201B7A9C0CBDB7E99EB45362B104625B909D31D0DBFC980982A4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753FEF Relevance: 10.6, APIs: 7, Instructions: 97processsynchronizationwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00754033
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00754049
                                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 0075405C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0075409C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007540A8
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 007540DC
                                                                                                                                                                                                                  • FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 007540E9
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3183975587-0
                                                                                                                                                                                                                  • Opcode ID: dbf8f481bed75dd59f62efc560b80659235bf38736ff92148941a76b5e420fb4
                                                                                                                                                                                                                  • Instruction ID: 8442750c2389f4b3975f41f31c75eb0180bdbaedcb8e1db9abccd9990302d786
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbf8f481bed75dd59f62efc560b80659235bf38736ff92148941a76b5e420fb4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D531B93164071CBBEB205B65DC4DFEB7778D794706F2081A9FA09D21A0CAB84CC5CB15
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007551E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F4D,?,00000002,00000000), ref: 00755201
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00755250
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                    • Part of subcall function 00756285: GetLastError.KERNEL32(00755BBC), ref: 00756285
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$UPROMPT
                                                                                                                                                                                                                  • API String ID: 957408736-2980973527
                                                                                                                                                                                                                  • Opcode ID: 31712f82db22308ba3dc20dae00d2bd9517192c0796aa2d1c3416ec4b0be2822
                                                                                                                                                                                                                  • Instruction ID: 5f28b0eaa3c77786d06d4668607992e534320b30350f1bca22256c5c44f2b85c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31712f82db22308ba3dc20dae00d2bd9517192c0796aa2d1c3416ec4b0be2822
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 171122B0240705FBE7146BB14C59BFB219DEB89397F008039BF06D6180EAFD8C084239
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007552B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(03304D88,00000080,?,00000000), ref: 007552F2
                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(03304D88), ref: 007552FA
                                                                                                                                                                                                                  • LocalFree.KERNEL32(03304D88,?,00000000), ref: 00755305
                                                                                                                                                                                                                  • LocalFree.KERNEL32(03304D88), ref: 0075530C
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(007511FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00755363
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00755334
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                                                                                  • API String ID: 2833751637-305352358
                                                                                                                                                                                                                  • Opcode ID: 25c8694a6553e60b1d7a879d68bde290ad1572f04369138756d1747c73121136
                                                                                                                                                                                                                  • Instruction ID: 612116723de39c2b6da4fac1d4e1f5e121e13da8851eed8c20b33861ecbd6cf5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25c8694a6553e60b1d7a879d68bde290ad1572f04369138756d1747c73121136
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E121D131521718DBDB609B20DC19BE937A0BB00357F448269ED4A631A0DFFD5D8CCB99
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00751FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0075538C,?,?,0075538C), ref: 00752005
                                                                                                                                                                                                                  • RegDeleteValueA.KERNELBASE(0075538C,wextract_cleanup0,?,?,0075538C), ref: 00752017
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(0075538C,?,?,0075538C), ref: 00752020
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                                                                                                                                  • API String ID: 849931509-702805525
                                                                                                                                                                                                                  • Opcode ID: 3668e7bba6c574f2fe2184ad87d1a4292e38a081398076bd79e5081ee55adfe8
                                                                                                                                                                                                                  • Instruction ID: 3eb96334b6dc41593f7df28aacc00f1e4148374651700fa1929fcfad6e0a3b39
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3668e7bba6c574f2fe2184ad87d1a4292e38a081398076bd79e5081ee55adfe8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1FE04870551318BBDB214F90ED0AFD97B29F701743F1002A5BD0CB00E1FBE95918D60A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00754DB5
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00754DDD
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFileItemText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                                                                                  • API String ID: 3625706803-305352358
                                                                                                                                                                                                                  • Opcode ID: fde6947948a58368964c3a0be1b8f769ee34c7fdeee0cb0e3f4b2f7e616f9226
                                                                                                                                                                                                                  • Instruction ID: 7217ba9e024d6380a112017e48445110e5a2dc9a5db1a0fd2dee08f2a03b7dd6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fde6947948a58368964c3a0be1b8f769ee34c7fdeee0cb0e3f4b2f7e616f9226
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F4112363003059BCB258F28DC486F573B5AB4530AF048668DD8A97285EAFEDECEC750
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754C37 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00754C54
                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00754C66
                                                                                                                                                                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00754C7E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Time$File$DateLocal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2071732420-0
                                                                                                                                                                                                                  • Opcode ID: 105166c62d1567b96bc7bb8a11ee651720e29c940e26612e8f99da06fa28bae3
                                                                                                                                                                                                                  • Instruction ID: f524022aaf5602519797b8bdb3a263ec085aa1c4f35ad60252d0d74ef6a7af87
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 105166c62d1567b96bc7bb8a11ee651720e29c940e26612e8f99da06fa28bae3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08F0627260120C7BAB549FB5CC489FB77BCEB44246744463AA915D1050EAB8D958CB71
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075487A Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00754A23,?,00754F67,*MEMCAB,00008000,00000180), ref: 007548DE
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00754F67,*MEMCAB,00008000,00000180), ref: 00754902
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: 0405b182d42d2656783b6fdd53e1c80e38586ba7994b1da8f0b1d24da22b5513
                                                                                                                                                                                                                  • Instruction ID: 79bb7f47275732181a6ae63b6cfb7a62a1cbf05bd193ef9b85ca27847a1f5a0e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0405b182d42d2656783b6fdd53e1c80e38586ba7994b1da8f0b1d24da22b5513
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F014BA3E1167426F32442294C89FF7551CDB9673AF2B0334BDAAE71D1D6A86C4882E0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754AD0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00753680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0075369F
                                                                                                                                                                                                                    • Part of subcall function 00753680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536B2
                                                                                                                                                                                                                    • Part of subcall function 00753680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536DA
                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00754B05
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1084409-0
                                                                                                                                                                                                                  • Opcode ID: ba6517084b94cb4eee97daaf86bd36365c7c0153eb193e26744af3b25c1545d5
                                                                                                                                                                                                                  • Instruction ID: 34a10a0261841840933c25a6120222095c1c7858d702ad47a4abe6b99621651c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba6517084b94cb4eee97daaf86bd36365c7c0153eb193e26744af3b25c1545d5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E016D71200305ABDB548F58DC05BE277A9B74472BF14C229EA39AB1E0EBF8DC55CB85
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075658A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(00758B3E,00758B3F,00000001,00758B3E,-00000003,?,007560EC,00751140,?), ref: 007565BA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharPrev
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 122130370-0
                                                                                                                                                                                                                  • Opcode ID: b1d516c1683138778a0a362b1f4fc8e32066b10931115bc5f8c4a32943d3baf7
                                                                                                                                                                                                                  • Instruction ID: d7bd7b054d878c9f3975a91394f11e7308d61ba26d5ad2a92bd53bd60c8e548c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1d516c1683138778a0a362b1f4fc8e32066b10931115bc5f8c4a32943d3baf7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9F042321442509BD331451D9884BE6BFDDDB85352F94016EEDDAC3205FADD4D5D83B4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075621E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0075623F
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                    • Part of subcall function 00756285: GetLastError.KERNEL32(00755BBC), ref: 00756285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryErrorLastLoadMessageStringWindows
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 381621628-0
                                                                                                                                                                                                                  • Opcode ID: 15293d927ac0a634fcb6826f902a8e3a7e2f98e81d2f2bc800f27c3c96db29c8
                                                                                                                                                                                                                  • Instruction ID: f25fe12468e9fc5d324ee18b57b6f30cf03923825e4ceeb9b5a0e98c730b9fa0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15293d927ac0a634fcb6826f902a8e3a7e2f98e81d2f2bc800f27c3c96db29c8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06F0B470600308EBEB90EB748D06FFE33A8EB44702F804069AD89D7081EDFC9D488654
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754B60 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00754FA1,00000000), ref: 00754B98
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                                                                                  • Opcode ID: cb26e8425687a29b4c3851fd8c55874f2aec3522e1c3bc6c083d8e2a2c6adc3e
                                                                                                                                                                                                                  • Instruction ID: b612a209cf20eb84484aec3115fce7e1412f4ebd1043c9fd1ab0dadf35396c89
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb26e8425687a29b4c3851fd8c55874f2aec3522e1c3bc6c083d8e2a2c6adc3e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 36F0FE71600F489F47A18F3B8C016D2BBF4AA993633100B2A946EE2190EFB8A445CF91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007566AE Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00754777,?,00754E38,?), ref: 007566B1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                  • Opcode ID: 3350098e1aa777777318314771196e457fa1fef4b20ebe9bbfcbb67aa189553b
                                                                                                                                                                                                                  • Instruction ID: f81fee1e83883ee6479c63096f166c31d706562573463c3dc37ca016d1de8542
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3350098e1aa777777318314771196e457fa1fef4b20ebe9bbfcbb67aa189553b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2B09276232541526A2006316C295AA2841E6C123B7E45BA0F036C12E0DABEC84AD008
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754CA0 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000000,?), ref: 00754CAA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3761449716-0
                                                                                                                                                                                                                  • Opcode ID: 36817470c5ecef71c8c7aeccfc101987d0225d10fa38c7c7b61714c71705af21
                                                                                                                                                                                                                  • Instruction ID: f42f24009d5b2ba0dfa74698861d7e07acc5e7a3851ff1da7d0504b32a490cf9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36817470c5ecef71c8c7aeccfc101987d0225d10fa38c7c7b61714c71705af21
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93B0123204430CB7DF001FC2EC09FC63F1DE7C4762F144010F60C450909AB29410869A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754CC0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2979337801-0
                                                                                                                                                                                                                  • Opcode ID: 611640089edc3ac2feae19fd94ea9e781b2c9dd4b5fdece2d2b96b109867a10c
                                                                                                                                                                                                                  • Instruction ID: 7c7e786429eca331f17e06ed11496e9d5e21c0156c7fd4dfd02925ca707e902d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 611640089edc3ac2feae19fd94ea9e781b2c9dd4b5fdece2d2b96b109867a10c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DB0123100020CB78F001B42EC088853F1DD6C02617004020F60C410219B7798118589
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 00755C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharNextA.USER32(?,00000000,?,?), ref: 00755CEE
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00758B3E,00000104,00000000,?,?), ref: 00755DFC
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00755E3E
                                                                                                                                                                                                                  • CharUpperA.USER32(-00000052), ref: 00755EE1
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00755F6F
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00755FA7
                                                                                                                                                                                                                  • CharUpperA.USER32(-0000004E), ref: 00756008
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 007560AA
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00751140,00000000,00000040,00000000), ref: 007561F1
                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 007561F8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                                                                                                                                  • String ID: "$"$:$RegServer
                                                                                                                                                                                                                  • API String ID: 1203814774-25366791
                                                                                                                                                                                                                  • Opcode ID: e8ac66f2e68bd25f2def84dfcaf079ec4d27fa185f378a95290789e3a44bf0ec
                                                                                                                                                                                                                  • Instruction ID: 99a329c894985b718766ade1e310e10f08984391f16b12aa0ecf1956b91c24a6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8ac66f2e68bd25f2def84dfcaf079ec4d27fa185f378a95290789e3a44bf0ec
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83D17C71A04B499BEF358B388C697F93771AB15303F5481A9CC86D7190DAFC8E8E8B15
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00751F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94shutdownCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00751EFB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00751F02
                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00751FD3
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process$CurrentExitOpenTokenWindows
                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                  • API String ID: 2795981589-3733053543
                                                                                                                                                                                                                  • Opcode ID: ce2b1134ea140a1a61b17927f33d310376fdbdba0a571ae03fd17cca4e3b4ec4
                                                                                                                                                                                                                  • Instruction ID: c4049170c72226f1e56a9c39cd960c71867905d21c144b4be859730e9609747c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce2b1134ea140a1a61b17927f33d310376fdbdba0a571ae03fd17cca4e3b4ec4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E21E671A41305BBDB205BA19C4AFFF3AB8DB85713F504128FE06E20C0D7FC88099265
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007517EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71librarymemoryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,007518DD), ref: 0075181A
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0075182C
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(007518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,007518DD), ref: 00751855
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?,?,?,?,007518DD), ref: 00751883
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,007518DD), ref: 0075188A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                                                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 4204503880-1888249752
                                                                                                                                                                                                                  • Opcode ID: 26312e71d1c83277d87f965e79a8f28e46621f8c2eb14a0f90ac004d9c9dbb37
                                                                                                                                                                                                                  • Instruction ID: 1e0ac4ab9aea45b0e5a2642f385443407ad43e4f39e84474e73c2e5fbd20bb72
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26312e71d1c83277d87f965e79a8f28e46621f8c2eb14a0f90ac004d9c9dbb37
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65118171E00309BBDB109FA4DC49AFEBB78EF44713F504569FA15E3290EAB89D048B95
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00756E26,00751000), ref: 00756CF7
                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(&nu,?,00756E26,00751000), ref: 00756D00
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000409,?,00756E26,00751000), ref: 00756D0B
                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00756E26,00751000), ref: 00756D12
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                  • String ID: &nu
                                                                                                                                                                                                                  • API String ID: 3231755760-412098778
                                                                                                                                                                                                                  • Opcode ID: cd21c4c8e39cb30ef0487b97ec50778fcecadb54d63f076f8dbb0b7790bfaa47
                                                                                                                                                                                                                  • Instruction ID: 342bc6f042a5ce3f911cba4f1ed5efbb4aa54d5e500efe9eda00f35453836ad7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd21c4c8e39cb30ef0487b97ec50778fcecadb54d63f076f8dbb0b7790bfaa47
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75D0C932000B0CBBEB002BF1EC0CA993F39EB48213F448120F31982020CABA58518B5B
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00757155 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00757182
                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00757191
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0075719A
                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 007571A3
                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 007571B8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                                                                                  • Opcode ID: 743b825ce910602a990dea889f7cfe871515423a17fbb60dbfe67debdaaaf9c7
                                                                                                                                                                                                                  • Instruction ID: 6367672dfa56a8312723821a0039634104c74800e9fd439e866d3e59fe1d3b24
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 743b825ce910602a990dea889f7cfe871515423a17fbb60dbfe67debdaaaf9c7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E113D71D0160CEBCB54DFB8EA48ADEB7F4EF48312F918565D805E7250DA789A04CB45
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756F40 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00006EF0), ref: 00756F45
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                  • Opcode ID: aacda1995837e0071f1426bb6e09e99a897d4972088a30ddd874953c918ea6a5
                                                                                                                                                                                                                  • Instruction ID: 84d8fd8cb044865d817dc17904f6eaa3cb91d2db73660125e4a8f3c3c7b42651
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aacda1995837e0071f1426bb6e09e99a897d4972088a30ddd874953c918ea6a5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E9002A42526045796111B709D1A495B5A16B4D603BC19570A411C5494DBE844455516
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000003E8,00758598,00000200), ref: 00753271
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 007533E2
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 007533F7
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00753410
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000836), ref: 00753426
                                                                                                                                                                                                                  • EnableWindow.USER32(00000000), ref: 0075342D
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 0075343F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$smo
                                                                                                                                                                                                                  • API String ID: 2418873061-1076603444
                                                                                                                                                                                                                  • Opcode ID: 5b447ed249aa1f1036cfef4f23d43dd704755151220289e3b52cb513131a4ba7
                                                                                                                                                                                                                  • Instruction ID: 6d9332fe34d36b09a9a082e25fad461e6611ae9e8b8e61c948c25d81889d368c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b447ed249aa1f1036cfef4f23d43dd704755151220289e3b52cb513131a4ba7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6512830340798B7EB211B355C4DFFB2E58AB86BC7F108138FE05960E0DAFC8A499265
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007534F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • TerminateThread.KERNEL32(00000000), ref: 00753535
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00753541
                                                                                                                                                                                                                  • ResetEvent.KERNEL32 ref: 0075355F
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00751140,00000000,00000020,00000004), ref: 00753590
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 007535C7
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 007535F1
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 007535F8
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 00753610
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 00753617
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00753623
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,00758798), ref: 00753637
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 00753671
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 2406144884-2762499640
                                                                                                                                                                                                                  • Opcode ID: b172a344fde2bd4ca7db0237f0d7e30056ac980290603ecdc3a86df193035ded
                                                                                                                                                                                                                  • Instruction ID: 1ac2f7f479a979cde406bd74535499619f5219b404291d2377638f5e05ae3657
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b172a344fde2bd4ca7db0237f0d7e30056ac980290603ecdc3a86df193035ded
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B031A671240304BBD7601F75AC4DEEA3A74F785B83F608539FA02A52B0DAFD8914CA5A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00754236
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0075424C
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,000000C3), ref: 00754263
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0075427A
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,007588C0,?,00000001), ref: 0075429F
                                                                                                                                                                                                                  • CharPrevA.USER32(007588C0,00EB1181,?,00000001), ref: 007542C2
                                                                                                                                                                                                                  • CharPrevA.USER32(007588C0,00000000,?,00000001), ref: 007542D6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00754391
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 007543A5
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                                                                                                                                  • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                                                                                                                  • API String ID: 1865808269-1731843650
                                                                                                                                                                                                                  • Opcode ID: 8120f1a62ffd0565f0a13895b1aa5e23abd11b52f7edde0265eb5c94dfc088ea
                                                                                                                                                                                                                  • Instruction ID: 837797dd66ee0f8e9b393109ac549e4830ee36abb8ec1767d2818492a0694b50
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8120f1a62ffd0565f0a13895b1aa5e23abd11b52f7edde0265eb5c94dfc088ea
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1741C3B4A00304AFE7119B609C89AEE7FB4EB4534AF044169ED41B7291DFFC8C498B66
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharUpperA.USER32(902A8B49,00000000,00000000,00000000), ref: 007527A8
                                                                                                                                                                                                                  • CharNextA.USER32(0000054D), ref: 007527B5
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 007527BC
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752829
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752852
                                                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752870
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 007528A0
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 007528AA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 007528B9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 007527E4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                                                                                                                  • API String ID: 2659952014-2428544900
                                                                                                                                                                                                                  • Opcode ID: 6fac2e5f072c3d26f702507cfa9112ea541c9a49fa204c95f13624866d1791da
                                                                                                                                                                                                                  • Instruction ID: c3ae5e774f15e54d09ee6fc2ba2d5fdc220f5bf0d4d86cd8bd34744567a4ae7e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fac2e5f072c3d26f702507cfa9112ea541c9a49fa204c95f13624866d1791da
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41410A71D0021CAFDB248B64DC45AFA7BBCEF16702F1040A9F949D2141DBF85E8A8FA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 007522A3
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 007522D8
                                                                                                                                                                                                                  • memset.MSVCRT ref: 007522F5
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00752305
                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0075236E
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0075237A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • wextract_cleanup0, xrefs: 0075227C, 007522CD, 00752363
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00752321
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00752299
                                                                                                                                                                                                                  • rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0075232D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Value$CloseDirectoryOpenQuerySystemmemset
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                                                                                                                                  • API String ID: 3027380567-2036266374
                                                                                                                                                                                                                  • Opcode ID: f2a2cc4e54f900f41e855dc431276cd88fdc9acdb8349139e3b7e7adb11e56b5
                                                                                                                                                                                                                  • Instruction ID: f06682f1c3594274f5136aa50390dd5c326110f911aa4da4f1a0db9fa77c2a64
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2a2cc4e54f900f41e855dc431276cd88fdc9acdb8349139e3b7e7adb11e56b5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA31C871A00218ABDB619B50DC49FEB7B7CEF15702F4401E9B90DA6051EEF96F8DCA50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 0075313B
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0075314B
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000834), ref: 0075316A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00753176
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0075317D
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000834), ref: 00753185
                                                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000FC), ref: 00753190
                                                                                                                                                                                                                  • SetWindowLongA.USER32(00000000,000000FC,007530C0), ref: 007531A3
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 007531CA
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 3785188418-2762499640
                                                                                                                                                                                                                  • Opcode ID: f8f39d584e0444d193720a0f5b0ab058368358eba4b805f9fc89653bab070367
                                                                                                                                                                                                                  • Instruction ID: 66936903c83f110f8b1b0575f1f2713f0397a8b738c83750a34b2b147e667126
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8f39d584e0444d193720a0f5b0ab058368358eba4b805f9fc89653bab070367
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B911D231604B19BBDB115B349C0DBDA3A64FB4A763F008620FD15A11F0DBFC8A45C78A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007518A3 Relevance: 16.6, APIs: 11, Instructions: 112memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 007517EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,007518DD), ref: 0075181A
                                                                                                                                                                                                                    • Part of subcall function 007517EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0075182C
                                                                                                                                                                                                                    • Part of subcall function 007517EE: AllocateAndInitializeSid.ADVAPI32(007518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,007518DD), ref: 00751855
                                                                                                                                                                                                                    • Part of subcall function 007517EE: FreeSid.ADVAPI32(?,?,?,?,007518DD), ref: 00751883
                                                                                                                                                                                                                    • Part of subcall function 007517EE: FreeLibrary.KERNEL32(00000000,?,?,?,007518DD), ref: 0075188A
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 007518EB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 007518F2
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0075190A
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00751918
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,?,?), ref: 0075192C
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00751944
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00751964
                                                                                                                                                                                                                  • EqualSid.ADVAPI32(00000004,?), ref: 0075197A
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 0075199C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 007519A3
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 007519AD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2168512254-0
                                                                                                                                                                                                                  • Opcode ID: 6dddc1d5156c44634372f4b781326b32bf7d6c3d56e4e02c072dbfbc0ba16189
                                                                                                                                                                                                                  • Instruction ID: 3a430106ddc9ed775066686163e8bf70e727074b34c3b1784f5f7cbc9977f2d7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6dddc1d5156c44634372f4b781326b32bf7d6c3d56e4e02c072dbfbc0ba16189
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE314371A0024AEFDB109FA5DC48AEFBBBCFF04303F504529E945D2150EBB9A949CB65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                  • memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: TITLE$smo
                                                                                                                                                                                                                  • API String ID: 3370778649-3033500379
                                                                                                                                                                                                                  • Opcode ID: f75627ae7657b9579acf78e02ce3abc19920901358f5296654596afb83bd6d91
                                                                                                                                                                                                                  • Instruction ID: e02747f3c47b43ca2089c415a93cd38cb6477ca34adeea1fa1cc5fe96cfd2e8b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f75627ae7657b9579acf78e02ce3abc19920901358f5296654596afb83bd6d91
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01D6322403047BE31017A55C4DFEB7E6CDBC6B53F048124FE4986180D9E9888682AA
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0075681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0075686E
                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004A), ref: 007568A7
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 007568CC
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,?,0000000C), ref: 007568F4
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00756902
                                                                                                                                                                                                                    • Part of subcall function 007566F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0075691A), ref: 00756741
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                                                                                                                  • String ID: ;Fu$Control Panel\Desktop\ResourceLocale
                                                                                                                                                                                                                  • API String ID: 3346862599-664461131
                                                                                                                                                                                                                  • Opcode ID: f8691df08f53d9550a342605b796066e46905761a678534c1254ff4e8f406d17
                                                                                                                                                                                                                  • Instruction ID: f0a0972630e107ddd18b6116355169efc23842019e6d86390d88eb81de8c2a9f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8691df08f53d9550a342605b796066e46905761a678534c1254ff4e8f406d17
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58316D31B0131C9FDB218B11CC05BEAB778EB45726F4041A9ED4DA3140DBB8A9898B56
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00753490
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0075349A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 007534B2
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000838), ref: 007534C4
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 007534CB
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 007534D8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$DialogText$DesktopForegroundItem
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 852535152-2762499640
                                                                                                                                                                                                                  • Opcode ID: 8efeecda8a3ae8a4082b2273c3fd1473ee16457add4ae42a6c26f3662e2205e3
                                                                                                                                                                                                                  • Instruction ID: 23dce8997c4556e9a94b64aee745f21fa0328249cc7d178cdd74ff377d54c920
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8efeecda8a3ae8a4082b2273c3fd1473ee16457add4ae42a6c26f3662e2205e3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC018031240698ABD7965B64DC0C9FD3A64EB05783F00C524FE46865B0CBFC8A45DB89
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00752AAC Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00752AE6
                                                                                                                                                                                                                  • IsDBCSLeadByte.KERNEL32(00000000), ref: 00752AF2
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00752B12
                                                                                                                                                                                                                  • CharUpperA.USER32 ref: 00752B1E
                                                                                                                                                                                                                  • CharPrevA.USER32(?,?), ref: 00752B55
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00752BD4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 571164536-0
                                                                                                                                                                                                                  • Opcode ID: 172d36bed4a16dfd00fdccb20fe281ce0be3b591f0ed803591061201e85df4d6
                                                                                                                                                                                                                  • Instruction ID: 8fdbcc20f0bf3ee5403c4042a08fa287b1f143e1c61e65240a1fc40329bacac6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 172d36bed4a16dfd00fdccb20fe281ce0be3b591f0ed803591061201e85df4d6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA411374504249AFDB159F348C04AFD7BA99F57302F1441AAECC293202EBAC4E4BCB65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007528E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00752A6F
                                                                                                                                                                                                                    • Part of subcall function 00752773: CharUpperA.USER32(902A8B49,00000000,00000000,00000000), ref: 007527A8
                                                                                                                                                                                                                    • Part of subcall function 00752773: CharNextA.USER32(0000054D), ref: 007527B5
                                                                                                                                                                                                                    • Part of subcall function 00752773: CharNextA.USER32(00000000), ref: 007527BC
                                                                                                                                                                                                                    • Part of subcall function 00752773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752829
                                                                                                                                                                                                                    • Part of subcall function 00752773: RegQueryValueExA.ADVAPI32(?,00751140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752852
                                                                                                                                                                                                                    • Part of subcall function 00752773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00752870
                                                                                                                                                                                                                    • Part of subcall function 00752773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 007528A0
                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00753938,?,?,?,?,-00000005), ref: 00752958
                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00753938,?,?,?,?,-00000005,?), ref: 00752969
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00753938,?,?,?,?,-00000005,?), ref: 00752A21
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00753938,?,?), ref: 00752A81
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
                                                                                                                                                                                                                  • String ID: 89u
                                                                                                                                                                                                                  • API String ID: 3949799724-4224869683
                                                                                                                                                                                                                  • Opcode ID: fedacce303a69a1d6e40d47c855cc1d78c643f1673497ebccf7f08ee2bf80540
                                                                                                                                                                                                                  • Instruction ID: eda2c62ec08f795150a10af9c37b60b47c691a52533728da704b56ee50719f84
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fedacce303a69a1d6e40d47c855cc1d78c643f1673497ebccf7f08ee2bf80540
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA514E31D00219EBDB21CF94C884AEEF7B5FF49702F14812AED05E3252DB799946CB94
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007543D0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 007543F1
                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0075440B
                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00754423
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0075442E
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0075443A
                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00754447
                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001), ref: 007544A2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$CapsDeviceRect$Release
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2212493051-0
                                                                                                                                                                                                                  • Opcode ID: 7962b2af23160fcd11a38d91ecd0140e8af6fac4c139c2d5e61973f4e817020a
                                                                                                                                                                                                                  • Instruction ID: d72c561849ce9ad0073ea70e3d93fcc11e6d02cc265a2b0cf1563f93849f30a8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7962b2af23160fcd11a38d91ecd0140e8af6fac4c139c2d5e61973f4e817020a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8315E32E00619AFCB14CFB8DD889EEBBB5EB89311F154269F905F3240DAB46C458B64
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075171E: _vsnprintf.MSVCRT ref: 00751750
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,007551CA,00000004,00000024,00752F71,?,00000002,00000000), ref: 007562CD
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,007551CA,00000004,00000024,00752F71,?,00000002,00000000), ref: 007562D4
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,007551CA,00000004,00000024,00752F71,?,00000002,00000000), ref: 0075631B
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00756345
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,007551CA,00000004,00000024,00752F71,?,00000002,00000000), ref: 00756357
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                                                                                                                                                  • String ID: UPDFILE%lu
                                                                                                                                                                                                                  • API String ID: 2922116661-2329316264
                                                                                                                                                                                                                  • Opcode ID: 4ec382d0aacecbed1bea5b3b94916cacd465c25d446a4d5c9c5a35fee32efa96
                                                                                                                                                                                                                  • Instruction ID: ce2d981a330c681b48974af33324399c876bbec22cf8544890ae1202bdfcef36
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ec382d0aacecbed1bea5b3b94916cacd465c25d446a4d5c9c5a35fee32efa96
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC21F675A00219ABDB109F64CC499FF7B78FF48712B404229FD06A3241DBBD9D0A8BE5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00752F64,?,00000002,00000000), ref: 00753A5D
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00753AB3
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                    • Part of subcall function 00756285: GetLastError.KERNEL32(00755BBC), ref: 00756285
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(<None>,00000000), ref: 00753AD0
                                                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00753B13
                                                                                                                                                                                                                    • Part of subcall function 00756517: FindResourceA.KERNEL32(00750000,000007D6,00000005), ref: 0075652A
                                                                                                                                                                                                                    • Part of subcall function 00756517: LoadResource.KERNEL32(00750000,00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00756538
                                                                                                                                                                                                                    • Part of subcall function 00756517: DialogBoxIndirectParamA.USER32(00750000,00000000,00000547,007519E0,00000000), ref: 00756557
                                                                                                                                                                                                                    • Part of subcall function 00756517: FreeResource.KERNEL32(00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00756560
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00753100,00000000,00000000), ref: 00753AF4
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$LICENSE
                                                                                                                                                                                                                  • API String ID: 2414642746-383193767
                                                                                                                                                                                                                  • Opcode ID: 3281d3e5ec97e250960e6178a6c30baf83e168173cc9a4663465681a97255dd8
                                                                                                                                                                                                                  • Instruction ID: 72836149def8d1df104e72664d4acd3d662e438d515da2684a3de8371078b22d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3281d3e5ec97e250960e6178a6c30baf83e168173cc9a4663465681a97255dd8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B118170700305EBD7609B329C09ED779F9EBD9743B10C12EBA45E61B1EAFE88048669
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007524E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00752506
                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0075252C
                                                                                                                                                                                                                  • _lopen.KERNEL32(?,00000040), ref: 0075253B
                                                                                                                                                                                                                  • _llseek.KERNEL32(00000000,00000000,00000002), ref: 0075254C
                                                                                                                                                                                                                  • _lclose.KERNEL32(00000000), ref: 00752555
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                                                                                                                                  • String ID: wininit.ini
                                                                                                                                                                                                                  • API String ID: 3273605193-4206010578
                                                                                                                                                                                                                  • Opcode ID: c255a5524ab0df547835a4e4a464727a332a08775a03849beedd305e31024895
                                                                                                                                                                                                                  • Instruction ID: 0b12526f1e937076a8391cfaffe1f889d27f2d5682ec4e3659fe8e6a6c318c13
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c255a5524ab0df547835a4e4a464727a332a08775a03849beedd305e31024895
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E01B932700218B7D7209B659C0CEDF7B7CDB46752F404265FA49D31D0EEB84E45CA95
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007536EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00753723
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 007539C3
                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,smo,00000030), ref: 007539F1
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$BeepVersion
                                                                                                                                                                                                                  • String ID: 3$smo
                                                                                                                                                                                                                  • API String ID: 2519184315-1411035656
                                                                                                                                                                                                                  • Opcode ID: f614394507cc88a7bf58cec704fee30415b97c59fca0d38c5787de62353d7118
                                                                                                                                                                                                                  • Instruction ID: 4c5417912c33003a9da7aaee68beae60944ecfadfa411231dee6f00d1897e135
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f614394507cc88a7bf58cec704fee30415b97c59fca0d38c5787de62353d7118
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E191F8B1E012149FEB758B24CC817E973A0AB45386F1481A9EC49E7261DBFC9F89CF51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00750000,000007D6,00000005), ref: 0075652A
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00750000,00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00756538
                                                                                                                                                                                                                  • DialogBoxIndirectParamA.USER32(00750000,00000000,00000547,007519E0,00000000), ref: 00756557
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00752EE8,00000000,007519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00756560
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                                                                                                                  • String ID: .u
                                                                                                                                                                                                                  • API String ID: 1214682469-3478722563
                                                                                                                                                                                                                  • Opcode ID: 9d4dd18c0fc86a1483b54a6245779d39b4dd24e2cd251f1cda2b355d19114e7a
                                                                                                                                                                                                                  • Instruction ID: 189726b4ac42cc221e94822eee66720ae9d17846ebe65bb6900138289b34bbab
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d4dd18c0fc86a1483b54a6245779d39b4dd24e2cd251f1cda2b355d19114e7a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05012672540709BBDB105FA99C48DFB7A6CEB85363F404229FE0493190EBF98D20C6A5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 007564DF
                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 007564F9
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00756502
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad$AttributesFile
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                                                                                                                                                  • API String ID: 438848745-3680919256
                                                                                                                                                                                                                  • Opcode ID: ef017f23394c671a49b934a115dc7b38d60f40c5cc7afe19b800c07dd8c1c287
                                                                                                                                                                                                                  • Instruction ID: 2b83ad9e21824ee5aed4e33bd53034ac7f82f80314250f2bbba7455fa3158bf4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef017f23394c671a49b934a115dc7b38d60f40c5cc7afe19b800c07dd8c1c287
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9301D670540208ABD750EB64DC49BEE7778DB54313F9002A9F989931C0EFF8AE8D8A51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00754169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546A0
                                                                                                                                                                                                                    • Part of subcall function 0075468F: SizeofResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546A9
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 007546C3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LoadResource.KERNEL32(00000000,00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546CC
                                                                                                                                                                                                                    • Part of subcall function 0075468F: LockResource.KERNEL32(00000000,?,00752D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 007546D3
                                                                                                                                                                                                                    • Part of subcall function 0075468F: memcpy_s.MSVCRT ref: 007546E5
                                                                                                                                                                                                                    • Part of subcall function 0075468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 007546EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,007530B4), ref: 00754189
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,007530B4), ref: 007541E7
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$FINISHMSG
                                                                                                                                                                                                                  • API String ID: 3507850446-3091758298
                                                                                                                                                                                                                  • Opcode ID: 0a8e2c8dd397603749ed04d9923c2845ce05f6d2f44bec72552462d97ac68b3d
                                                                                                                                                                                                                  • Instruction ID: 57aa4c8b4e9edef825470e948fc5fbaf9b874a5fff159c251038c840ce610251
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a8e2c8dd397603749ed04d9923c2845ce05f6d2f44bec72552462d97ac68b3d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F01ADA1340618BBF72417654C9AFFB258EDB9479BF004139BF05E21849EECCC8941B9
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007519E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00751A18
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00751A24
                                                                                                                                                                                                                  • LoadStringA.USER32(?,?,00000200), ref: 00751A4F
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00751A62
                                                                                                                                                                                                                  • MessageBeep.USER32(000000FF), ref: 00751A6A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1273765764-0
                                                                                                                                                                                                                  • Opcode ID: a8b1925ab6fc812215bd696b4ea95177f12717a4708f291a478262c02d223992
                                                                                                                                                                                                                  • Instruction ID: cfd8463579a50bfc0b2a586f6186acc0a7679312687a1cd56086755f1a96f33a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8b1925ab6fc812215bd696b4ea95177f12717a4708f291a478262c02d223992
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF11C63150020DABDB01DF64DD08BED77B4EB05303F50C264E92292190CAB89E04CB95
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007563C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0075642D
                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0075645B
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0075647A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 007563EB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                                                                                  • API String ID: 1065093856-305352358
                                                                                                                                                                                                                  • Opcode ID: fd7342cf4ae4679d4c88be7786fa6f65faadd57ac0e7f97d5d8ff06c311a8db3
                                                                                                                                                                                                                  • Instruction ID: 1469074168f9210cbcdba83828367d0b0197c046a5bcba36f2ada1cf993e97c2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd7342cf4ae4679d4c88be7786fa6f65faadd57ac0e7f97d5d8ff06c311a8db3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF21A571A0021CEBDB10DF25DC85FEB7778EB45316F104269F995A3180DAF85E898F64
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007547E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00754E6F), ref: 007547EA
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00754823
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00754847
                                                                                                                                                                                                                    • Part of subcall function 007544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00754518
                                                                                                                                                                                                                    • Part of subcall function 007544B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00754554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00754851
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$Alloc$FreeLoadMessageString
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                                                                                                                  • API String ID: 359063898-305352358
                                                                                                                                                                                                                  • Opcode ID: 5d3ef7dcfaa194421c00ba908989b5342c32b9f3031acf7f64364a54067207f3
                                                                                                                                                                                                                  • Instruction ID: cbdcb5fa3425df1fd1099b234c38c99211c206294a5d05c781288a43d2a07c71
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d3ef7dcfaa194421c00ba908989b5342c32b9f3031acf7f64364a54067207f3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77115974200B41AFEB148F349C0CFF63BAAEB85306F04C518FE4297340DABD9C4A8660
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00753680 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0075369F
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536B2
                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 007536CB
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007536DA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2776232527-0
                                                                                                                                                                                                                  • Opcode ID: b2df640544deeb56c5cc13902751273a05dc45dca588a529395b386614a3977d
                                                                                                                                                                                                                  • Instruction ID: 240ce243c3b27d6685b96ed84c66f7da9adf2a13167f223c793c7e7432dd3e6b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2df640544deeb56c5cc13902751273a05dc45dca588a529395b386614a3977d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D501A77290021977DB304BA65C48EEB7B7CEBC5B52F00022DFE05E2190D5E9CA44C675
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007565E8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00752B33), ref: 00756602
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00756612
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00756629
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 00756635
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Prev$Next
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3260447230-0
                                                                                                                                                                                                                  • Opcode ID: fda73ce311a36b9cc3ce0cf4ca1b5c7c39f875a5aed6848e61e5f4986ba61a26
                                                                                                                                                                                                                  • Instruction ID: 268461f42e8ce839cc905e75d44b1304301af7d833e7573ed9615a7c2d477d5b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fda73ce311a36b9cc3ce0cf4ca1b5c7c39f875a5aed6848e61e5f4986ba61a26
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10F0F9715045507FD7321B284C888FBAFACCB97357B59427FE99183001D6DD0D0A8661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007569B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00756FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00756FC5
                                                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 007569C2
                                                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 007569D8
                                                                                                                                                                                                                  • __p__commode.MSVCRT ref: 007569E6
                                                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 00756A07
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1632413811-0
                                                                                                                                                                                                                  • Opcode ID: 6b0a2e0a2542cf5a22ce75b6acd72d4dee50c6e643adbc4fc3ceaa4b5095059e
                                                                                                                                                                                                                  • Instruction ID: 7a9aa4820bdf556f6d9106944e29c76238efe70967bd9d662f73ffdbb27e8a94
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b0a2e0a2542cf5a22ce75b6acd72d4dee50c6e643adbc4fc3ceaa4b5095059e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69F0DA70508301DFC7986B30AD0F6893BA1F744333B508619E862962E1DFFE9559CA1A
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00756952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`Wu,?,00000000,00755760,?,A:\), ref: 0075697F
                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,?,00000400), ref: 00756999
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.2647217088.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647191730.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647237467.0000000000758000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000000.00000002.2647256102.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_750000_14OWDrfahJ.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DiskFreeSpace
                                                                                                                                                                                                                  • String ID: `Wu
                                                                                                                                                                                                                  • API String ID: 1705453755-1644387346
                                                                                                                                                                                                                  • Opcode ID: e0e046413bb4f3e78984a4ec4ff504bd3e388ea5c553aaf6ecacc1da5309d19d
                                                                                                                                                                                                                  • Instruction ID: 024942673336aad30793636c80f078c87edd45a01dd794bdb6cd4a52c358271d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0e046413bb4f3e78984a4ec4ff504bd3e388ea5c553aaf6ecacc1da5309d19d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F0FF76D0022CBBCB11DFD8CC44ADEBBBCEB48701F504296E910E3240DB759A048BD1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:29.2%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:961
                                                                                                                                                                                                                  Total number of Limit Nodes:26
                                                                                                                                                                                                                  execution_graph 2195 14cc0 GlobalFree 3118 14200 3119 1420b SendMessageA 3118->3119 3120 1421e 3118->3120 3119->3120 3121 13100 3122 13111 3121->3122 3123 131b0 3121->3123 3125 13149 GetDesktopWindow 3122->3125 3129 1311d 3122->3129 3124 131b9 SendDlgItemMessageA 3123->3124 3127 13141 3123->3127 3124->3127 3131 143d0 6 API calls 3125->3131 3126 13138 EndDialog 3126->3127 3129->3126 3129->3127 3133 14463 SetWindowPos 3131->3133 3134 16ce0 4 API calls 3133->3134 3135 1315d 6 API calls 3134->3135 3135->3127 3136 16f40 SetUnhandledExceptionFilter 3137 14bc0 3138 14bd7 3137->3138 3140 14c05 3137->3140 3139 14c1b SetFilePointer 3139->3138 3140->3138 3140->3139 3141 130c0 3142 130de CallWindowProcA 3141->3142 3143 130ce 3141->3143 3144 130da 3142->3144 3143->3142 3143->3144 3145 163c0 3146 16407 3145->3146 3147 1658a CharPrevA 3146->3147 3148 16415 CreateFileA 3147->3148 3149 16448 WriteFile 3148->3149 3150 1643a 3148->3150 3151 16465 CloseHandle 3149->3151 3153 16ce0 4 API calls 3150->3153 3151->3150 3154 1648f 3153->3154 3155 16c03 3156 16c17 _exit 3155->3156 3157 16c1e 3155->3157 3156->3157 3158 16c27 _cexit 3157->3158 3159 16c32 3157->3159 3158->3159 2196 14ad0 2204 13680 2196->2204 2199 14ae9 2200 14aee WriteFile 2201 14b14 2200->2201 2202 14b0f 2200->2202 2201->2202 2203 14b3b SendDlgItemMessageA 2201->2203 2203->2202 2205 13691 MsgWaitForMultipleObjects 2204->2205 2206 136a9 PeekMessageA 2205->2206 2207 136e8 2205->2207 2206->2205 2208 136bc 2206->2208 2207->2199 2207->2200 2208->2205 2208->2207 2209 136c7 DispatchMessageA 2208->2209 2210 136d1 PeekMessageA 2208->2210 2209->2210 2210->2208 2211 14cd0 2212 14cf4 2211->2212 2213 14d0b 2211->2213 2214 14d02 2212->2214 2215 14b60 FindCloseChangeNotification 2212->2215 2213->2214 2217 14dcb 2213->2217 2220 14d25 2213->2220 2268 16ce0 2214->2268 2215->2214 2218 14dd4 SetDlgItemTextA 2217->2218 2221 14de3 2217->2221 2218->2221 2219 14e95 2220->2214 2234 14c37 2220->2234 2221->2214 2242 1476d 2221->2242 2225 14e38 2225->2214 2251 14980 2225->2251 2230 14e64 2259 147e0 LocalAlloc 2230->2259 2233 14e6f 2233->2214 2235 14c88 2234->2235 2236 14c4c DosDateTimeToFileTime 2234->2236 2235->2214 2239 14b60 2235->2239 2236->2235 2237 14c5e LocalFileTimeToFileTime 2236->2237 2237->2235 2238 14c70 SetFileTime 2237->2238 2238->2235 2240 14b92 FindCloseChangeNotification 2239->2240 2241 14b76 SetFileAttributesA 2239->2241 2240->2241 2241->2214 2273 166ae GetFileAttributesA 2242->2273 2244 1477b 2244->2225 2245 147cc SetFileAttributesA 2247 147db 2245->2247 2247->2225 2250 147c2 2250->2245 2252 14990 2251->2252 2253 149c2 lstrcmpA 2252->2253 2254 149a5 2252->2254 2256 14a0e 2253->2256 2257 149ba 2253->2257 2255 144b9 20 API calls 2254->2255 2255->2257 2256->2257 2339 1487a 2256->2339 2257->2214 2257->2230 2260 147f6 2259->2260 2261 1480f LocalAlloc 2259->2261 2262 144b9 20 API calls 2260->2262 2263 1480b 2261->2263 2265 14831 2261->2265 2262->2263 2263->2233 2266 144b9 20 API calls 2265->2266 2267 14846 LocalFree 2266->2267 2267->2263 2269 16ce8 2268->2269 2270 16ceb 2268->2270 2269->2219 2352 16cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2270->2352 2272 16e26 2272->2219 2274 14777 2273->2274 2274->2244 2274->2245 2275 16517 FindResourceA 2274->2275 2276 16536 LoadResource 2275->2276 2277 1656b 2275->2277 2276->2277 2278 16544 DialogBoxIndirectParamA FreeResource 2276->2278 2282 144b9 2277->2282 2278->2277 2281 147b1 2278->2281 2281->2245 2281->2247 2281->2250 2283 144fe LoadStringA 2282->2283 2285 1455a 2282->2285 2284 14527 2283->2284 2286 14562 2283->2286 2287 1681f 10 API calls 2284->2287 2288 16ce0 4 API calls 2285->2288 2286->2286 2291 145c9 2286->2291 2297 1457e 2286->2297 2290 1452c 2287->2290 2289 14689 2288->2289 2289->2281 2292 14536 MessageBoxA 2290->2292 2323 167c9 2290->2323 2294 14607 LocalAlloc 2291->2294 2295 145cd LocalAlloc 2291->2295 2292->2285 2294->2285 2305 145c4 2294->2305 2295->2285 2301 145f3 2295->2301 2297->2297 2300 14596 LocalAlloc 2297->2300 2299 1462d MessageBeep 2311 1681f 2299->2311 2300->2285 2304 145af 2300->2304 2302 1171e _vsnprintf 2301->2302 2302->2305 2329 1171e 2304->2329 2305->2299 2308 14645 MessageBoxA LocalFree 2308->2285 2309 167c9 EnumResourceLanguagesA 2309->2308 2312 16940 2311->2312 2313 16857 GetVersionExA 2311->2313 2314 16ce0 4 API calls 2312->2314 2315 1687c 2313->2315 2322 1691a 2313->2322 2316 1463b 2314->2316 2317 168a5 GetSystemMetrics 2315->2317 2315->2322 2316->2308 2316->2309 2318 168b5 RegOpenKeyExA 2317->2318 2317->2322 2319 168d6 RegQueryValueExA RegCloseKey 2318->2319 2318->2322 2320 1690c 2319->2320 2319->2322 2333 166f9 2320->2333 2322->2312 2324 167e2 2323->2324 2325 16803 2323->2325 2337 16793 EnumResourceLanguagesA 2324->2337 2325->2292 2327 167f5 2327->2325 2338 16793 EnumResourceLanguagesA 2327->2338 2330 1172d 2329->2330 2331 1175d 2330->2331 2332 1173d _vsnprintf 2330->2332 2331->2305 2332->2331 2335 1670f 2333->2335 2334 16740 CharNextA 2334->2335 2335->2334 2336 1674b 2335->2336 2336->2322 2337->2327 2338->2325 2340 148a2 CreateFileA 2339->2340 2342 148e9 2340->2342 2343 14908 2340->2343 2342->2343 2344 148ee 2342->2344 2343->2257 2347 1490c 2344->2347 2348 148f5 CreateFileA 2347->2348 2350 14917 2347->2350 2348->2343 2349 14962 CharNextA 2349->2350 2350->2348 2350->2349 2351 14953 CreateDirectoryA 2350->2351 2351->2349 2352->2272 3160 13210 3161 13227 3160->3161 3162 1328e EndDialog 3160->3162 3163 133e2 GetDesktopWindow 3161->3163 3164 13235 3161->3164 3178 13239 3162->3178 3166 143d0 11 API calls 3163->3166 3168 132dd GetDlgItemTextA 3164->3168 3169 1324c 3164->3169 3164->3178 3167 133f1 SetWindowTextA SendDlgItemMessageA 3166->3167 3170 1341f GetDlgItem EnableWindow 3167->3170 3167->3178 3171 13366 3168->3171 3179 132fc 3168->3179 3172 13251 3169->3172 3173 132c5 EndDialog 3169->3173 3170->3178 3177 144b9 20 API calls 3171->3177 3174 1325c LoadStringA 3172->3174 3172->3178 3173->3178 3175 13294 3174->3175 3176 1327b 3174->3176 3198 14224 LoadLibraryA 3175->3198 3182 144b9 20 API calls 3176->3182 3177->3178 3179->3171 3181 13331 GetFileAttributesA 3179->3181 3184 1337c 3181->3184 3185 1333f 3181->3185 3182->3162 3187 1658a CharPrevA 3184->3187 3188 144b9 20 API calls 3185->3188 3186 132a5 SetDlgItemTextA 3186->3176 3186->3178 3189 1338d 3187->3189 3190 13351 3188->3190 3191 158c8 27 API calls 3189->3191 3190->3178 3192 1335a CreateDirectoryA 3190->3192 3193 13394 3191->3193 3192->3171 3192->3184 3193->3171 3194 133a4 3193->3194 3195 133c7 EndDialog 3194->3195 3196 1597d 34 API calls 3194->3196 3195->3178 3197 133c3 3196->3197 3197->3178 3197->3195 3199 143b2 3198->3199 3200 14246 GetProcAddress 3198->3200 3204 144b9 20 API calls 3199->3204 3201 143a4 FreeLibrary 3200->3201 3202 1425d GetProcAddress 3200->3202 3201->3199 3202->3201 3203 14274 GetProcAddress 3202->3203 3203->3201 3205 1428b 3203->3205 3207 1329d 3204->3207 3206 14295 GetTempPathA 3205->3206 3212 142e1 3205->3212 3208 142ad 3206->3208 3207->3178 3207->3186 3208->3208 3209 142b4 CharPrevA 3208->3209 3210 142d0 CharPrevA 3209->3210 3209->3212 3210->3212 3211 14390 FreeLibrary 3211->3207 3212->3211 3213 14a50 3214 14a66 3213->3214 3215 14a9f ReadFile 3213->3215 3216 14abb 3214->3216 3217 14a82 memcpy 3214->3217 3215->3216 3217->3216 3218 13450 3219 134d3 EndDialog 3218->3219 3220 1345e 3218->3220 3222 1346a 3219->3222 3221 1349a GetDesktopWindow 3220->3221 3226 13465 3220->3226 3223 143d0 11 API calls 3221->3223 3224 134ac SetWindowTextA SetDlgItemTextA SetForegroundWindow 3223->3224 3224->3222 3225 1348c EndDialog 3225->3222 3226->3222 3226->3225 2353 14ca0 GlobalAlloc 2354 16a60 2371 17155 2354->2371 2356 16a65 2357 16a76 GetStartupInfoW 2356->2357 2358 16a93 2357->2358 2359 16aa8 2358->2359 2360 16aaf Sleep 2358->2360 2361 16ac7 _amsg_exit 2359->2361 2364 16ad1 2359->2364 2360->2358 2361->2364 2362 16b13 _initterm 2363 16b2e __IsNonwritableInCurrentImage 2362->2363 2366 16bd6 _ismbblead 2363->2366 2367 16c1e 2363->2367 2370 16bbe exit 2363->2370 2376 12bfb GetVersion 2363->2376 2364->2362 2364->2363 2365 16af4 2364->2365 2366->2363 2367->2365 2368 16c27 _cexit 2367->2368 2368->2365 2370->2363 2372 1717a 2371->2372 2373 1717e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 2371->2373 2372->2373 2374 171e2 2372->2374 2375 171cd 2373->2375 2374->2356 2375->2374 2377 12c50 2376->2377 2378 12c0f 2376->2378 2393 12caa memset memset memset 2377->2393 2378->2377 2380 12c13 GetModuleHandleW 2378->2380 2380->2377 2382 12c22 GetProcAddress 2380->2382 2382->2377 2390 12c34 2382->2390 2383 12c8e 2385 12c97 CloseHandle 2383->2385 2386 12c9e 2383->2386 2385->2386 2386->2363 2390->2377 2391 12c89 2487 11f90 2391->2487 2504 1468f FindResourceA SizeofResource 2393->2504 2396 12d2d CreateEventA SetEvent 2397 1468f 7 API calls 2396->2397 2399 12d57 2397->2399 2398 144b9 20 API calls 2423 12d6e 2398->2423 2400 12d5b 2399->2400 2402 12e1f 2399->2402 2405 1468f 7 API calls 2399->2405 2401 144b9 20 API calls 2400->2401 2401->2423 2509 15c9e 2402->2509 2403 16ce0 4 API calls 2406 12c62 2403->2406 2408 12d9f 2405->2408 2406->2383 2434 12f1d 2406->2434 2408->2400 2411 12da3 CreateMutexA 2408->2411 2409 12e30 2409->2398 2410 12e3a 2413 12e43 2410->2413 2414 12e52 FindResourceA 2410->2414 2411->2402 2412 12dbd GetLastError 2411->2412 2412->2402 2415 12dca 2412->2415 2536 12390 2413->2536 2416 12e64 LoadResource 2414->2416 2417 12e6e 2414->2417 2419 12dd5 2415->2419 2420 12dea 2415->2420 2416->2417 2417->2423 2424 12e8b 2417->2424 2421 144b9 20 API calls 2419->2421 2422 144b9 20 API calls 2420->2422 2425 12de8 2421->2425 2426 12dff 2422->2426 2423->2403 2551 136ee GetVersionExA 2424->2551 2428 12e04 CloseHandle 2425->2428 2426->2402 2426->2428 2428->2423 2429 12ee8 2429->2423 2433 16517 24 API calls 2433->2429 2435 12f6c 2434->2435 2436 12f3f 2434->2436 2659 15164 2435->2659 2438 12f5f 2436->2438 2640 151e5 2436->2640 2787 13a3f 2438->2787 2440 12f71 2470 1303c 2440->2470 2672 155a0 2440->2672 2446 16ce0 4 API calls 2447 12c6b 2446->2447 2474 152b6 2447->2474 2448 12f86 GetSystemDirectoryA 2449 1658a CharPrevA 2448->2449 2450 12fab LoadLibraryA 2449->2450 2451 12fc0 GetProcAddress 2450->2451 2452 12ff7 FreeLibrary 2450->2452 2451->2452 2455 12fd6 DecryptFileA 2451->2455 2453 13017 SetCurrentDirectoryA 2452->2453 2454 13006 2452->2454 2456 13054 2453->2456 2457 13026 2453->2457 2454->2453 2720 1621e GetWindowsDirectoryA 2454->2720 2455->2452 2462 12ff0 2455->2462 2459 13061 2456->2459 2730 13b26 2456->2730 2461 144b9 20 API calls 2457->2461 2464 1307a 2459->2464 2459->2470 2739 1256d 2459->2739 2466 13037 2461->2466 2462->2452 2468 13098 2464->2468 2750 13ba2 2464->2750 2806 16285 GetLastError 2466->2806 2468->2470 2471 130af 2468->2471 2470->2446 2808 14169 2471->2808 2475 152d6 2474->2475 2483 15316 2474->2483 2478 15300 LocalFree LocalFree 2475->2478 2479 152eb SetFileAttributesA DeleteFileA 2475->2479 2476 15374 2477 1538c 2476->2477 3114 11fe1 2476->3114 2480 16ce0 4 API calls 2477->2480 2478->2475 2478->2483 2479->2478 2482 12c72 2480->2482 2482->2383 2482->2391 2483->2476 2484 1535e SetCurrentDirectoryA 2483->2484 2485 165e8 4 API calls 2483->2485 2486 12390 13 API calls 2484->2486 2485->2484 2486->2476 2488 11f9f 2487->2488 2489 11f9a 2487->2489 2491 11fc0 2488->2491 2492 144b9 20 API calls 2488->2492 2495 11fd9 2488->2495 2490 11ea7 15 API calls 2489->2490 2490->2488 2493 11ee2 GetCurrentProcess OpenProcessToken 2491->2493 2494 11fcf ExitWindowsEx 2491->2494 2491->2495 2492->2491 2497 11f23 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2493->2497 2499 11f0e 2493->2499 2494->2495 2495->2383 2498 11f6b ExitWindowsEx 2497->2498 2497->2499 2498->2499 2500 11f1f 2498->2500 2501 144b9 20 API calls 2499->2501 2502 16ce0 4 API calls 2500->2502 2501->2500 2503 11f8c 2502->2503 2503->2383 2505 146b6 2504->2505 2506 12d1a 2504->2506 2505->2506 2507 146be FindResourceA LoadResource LockResource 2505->2507 2506->2396 2506->2409 2507->2506 2508 146df memcpy_s FreeResource 2507->2508 2508->2506 2510 160fb 2509->2510 2534 15cc3 2509->2534 2511 16ce0 4 API calls 2510->2511 2512 12e2c 2511->2512 2512->2409 2512->2410 2513 15ced CharNextA 2513->2534 2514 15dec GetModuleFileNameA 2515 15e0a 2514->2515 2516 15e17 2514->2516 2586 166c8 2515->2586 2516->2510 2518 16218 2595 16e2a 2518->2595 2521 15e36 CharUpperA 2522 161d0 2521->2522 2521->2534 2523 144b9 20 API calls 2522->2523 2524 161e7 2523->2524 2525 161f0 CloseHandle 2524->2525 2526 161f7 ExitProcess 2524->2526 2525->2526 2527 15dd0 2527->2510 2527->2514 2528 15f9f CharUpperA 2528->2534 2529 15f59 CompareStringA 2529->2534 2530 16003 CharUpperA 2530->2534 2531 1667f IsDBCSLeadByte CharNextA 2531->2534 2532 15edc CharUpperA 2532->2534 2533 160a2 CharUpperA 2533->2534 2534->2510 2534->2513 2534->2518 2534->2521 2534->2527 2534->2528 2534->2529 2534->2530 2534->2531 2534->2532 2534->2533 2591 1658a 2534->2591 2537 124cb 2536->2537 2540 123b9 2536->2540 2538 16ce0 4 API calls 2537->2538 2539 124dc 2538->2539 2539->2423 2540->2537 2541 123e9 FindFirstFileA 2540->2541 2541->2537 2542 12407 2541->2542 2543 12421 lstrcmpA 2542->2543 2544 12479 2542->2544 2546 124a9 FindNextFileA 2542->2546 2549 1658a CharPrevA 2542->2549 2550 12390 5 API calls 2542->2550 2545 12431 lstrcmpA 2543->2545 2543->2546 2548 12488 SetFileAttributesA DeleteFileA 2544->2548 2545->2542 2545->2546 2546->2542 2547 124bd FindClose RemoveDirectoryA 2546->2547 2547->2537 2548->2546 2549->2542 2550->2542 2552 1372d 2551->2552 2556 13737 2551->2556 2553 144b9 20 API calls 2552->2553 2565 139fc 2552->2565 2553->2565 2554 16ce0 4 API calls 2555 12e92 2554->2555 2555->2423 2555->2429 2566 118a3 2555->2566 2556->2552 2558 138a4 2556->2558 2556->2565 2602 128e8 2556->2602 2558->2552 2559 139c1 MessageBeep 2558->2559 2558->2565 2560 1681f 10 API calls 2559->2560 2561 139ce 2560->2561 2562 139d8 MessageBoxA 2561->2562 2563 167c9 EnumResourceLanguagesA 2561->2563 2562->2565 2563->2562 2565->2554 2567 118d5 2566->2567 2573 119b8 2566->2573 2631 117ee LoadLibraryA 2567->2631 2569 16ce0 4 API calls 2571 119d5 2569->2571 2571->2429 2571->2433 2572 118e5 GetCurrentProcess OpenProcessToken 2572->2573 2574 11900 GetTokenInformation 2572->2574 2573->2569 2575 11918 GetLastError 2574->2575 2576 119aa CloseHandle 2574->2576 2575->2576 2577 11927 LocalAlloc 2575->2577 2576->2573 2578 119a9 2577->2578 2579 11938 GetTokenInformation 2577->2579 2578->2576 2580 119a2 LocalFree 2579->2580 2581 1194e AllocateAndInitializeSid 2579->2581 2580->2578 2581->2580 2582 1196e 2581->2582 2583 11999 FreeSid 2582->2583 2584 11975 EqualSid 2582->2584 2585 1198c 2582->2585 2583->2580 2584->2582 2584->2585 2585->2583 2587 166d5 2586->2587 2588 166f3 2587->2588 2590 166e5 CharNextA 2587->2590 2598 16648 2587->2598 2588->2516 2590->2587 2592 1659b 2591->2592 2592->2592 2593 165b8 CharPrevA 2592->2593 2594 165ab 2592->2594 2593->2594 2594->2534 2601 16cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2595->2601 2597 1621d 2599 1665d IsDBCSLeadByte 2598->2599 2600 16668 2598->2600 2599->2600 2600->2587 2601->2597 2603 12a62 2602->2603 2610 1290d 2602->2610 2604 12a75 2603->2604 2605 12a6e GlobalFree 2603->2605 2604->2558 2605->2604 2607 12955 GlobalAlloc 2607->2603 2608 12968 GlobalLock 2607->2608 2608->2603 2608->2610 2609 12a20 GlobalUnlock 2609->2610 2610->2603 2610->2607 2610->2609 2611 12a80 GlobalUnlock 2610->2611 2612 12773 2610->2612 2611->2603 2613 127a3 CharUpperA CharNextA CharNextA 2612->2613 2614 128b2 2612->2614 2615 128b7 GetSystemDirectoryA 2613->2615 2616 127db 2613->2616 2614->2615 2618 128bf 2615->2618 2617 128a8 GetWindowsDirectoryA 2616->2617 2622 127e3 2616->2622 2617->2618 2619 128d2 2618->2619 2620 1658a CharPrevA 2618->2620 2621 16ce0 4 API calls 2619->2621 2620->2619 2623 128e2 2621->2623 2624 1658a CharPrevA 2622->2624 2623->2610 2625 12810 RegOpenKeyExA 2624->2625 2625->2618 2626 12837 RegQueryValueExA 2625->2626 2627 1289a RegCloseKey 2626->2627 2628 1285c 2626->2628 2627->2618 2629 12867 ExpandEnvironmentStringsA 2628->2629 2630 1287a 2628->2630 2629->2630 2630->2627 2632 11890 2631->2632 2633 11826 GetProcAddress 2631->2633 2634 16ce0 4 API calls 2632->2634 2635 11889 FreeLibrary 2633->2635 2636 11839 AllocateAndInitializeSid 2633->2636 2637 1189f 2634->2637 2635->2632 2636->2635 2638 1185f FreeSid 2636->2638 2637->2572 2637->2573 2638->2635 2641 1468f 7 API calls 2640->2641 2642 151f9 LocalAlloc 2641->2642 2643 1522d 2642->2643 2644 1520d 2642->2644 2646 1468f 7 API calls 2643->2646 2645 144b9 20 API calls 2644->2645 2647 1521e 2645->2647 2648 1523a 2646->2648 2649 16285 GetLastError 2647->2649 2650 15262 lstrcmpA 2648->2650 2651 1523e 2648->2651 2658 12f4d 2649->2658 2653 15272 LocalFree 2650->2653 2654 1527e 2650->2654 2652 144b9 20 API calls 2651->2652 2655 1524f LocalFree 2652->2655 2653->2658 2656 144b9 20 API calls 2654->2656 2655->2658 2657 15290 LocalFree 2656->2657 2657->2658 2658->2435 2658->2438 2658->2470 2660 1468f 7 API calls 2659->2660 2661 15175 2660->2661 2662 1517a 2661->2662 2663 151af 2661->2663 2664 144b9 20 API calls 2662->2664 2665 1468f 7 API calls 2663->2665 2666 1518d 2664->2666 2667 151c0 2665->2667 2666->2440 2821 16298 2667->2821 2670 151e1 2670->2440 2671 144b9 20 API calls 2671->2666 2673 1468f 7 API calls 2672->2673 2674 155c7 LocalAlloc 2673->2674 2675 155db 2674->2675 2676 155fd 2674->2676 2678 144b9 20 API calls 2675->2678 2677 1468f 7 API calls 2676->2677 2679 1560a 2677->2679 2680 155ec 2678->2680 2681 15632 lstrcmpA 2679->2681 2682 1560e 2679->2682 2683 16285 GetLastError 2680->2683 2685 15645 2681->2685 2686 1564b LocalFree 2681->2686 2684 144b9 20 API calls 2682->2684 2708 155f1 2683->2708 2687 1561f LocalFree 2684->2687 2685->2686 2688 15696 2686->2688 2689 1565b 2686->2689 2687->2708 2690 1589f 2688->2690 2692 156ae GetTempPathA 2688->2692 2697 15467 49 API calls 2689->2697 2693 16517 24 API calls 2690->2693 2691 16ce0 4 API calls 2694 12f7e 2691->2694 2695 156eb 2692->2695 2696 156c3 2692->2696 2693->2708 2694->2448 2694->2470 2701 15717 GetDriveTypeA 2695->2701 2702 1586c GetWindowsDirectoryA 2695->2702 2695->2708 2833 15467 2696->2833 2699 15678 2697->2699 2703 144b9 20 API calls 2699->2703 2699->2708 2704 15730 GetFileAttributesA 2701->2704 2718 1572b 2701->2718 2867 1597d GetCurrentDirectoryA SetCurrentDirectoryA 2702->2867 2703->2708 2704->2718 2708->2691 2709 1597d 34 API calls 2709->2718 2710 15467 49 API calls 2710->2695 2711 12630 21 API calls 2711->2718 2713 157c1 GetWindowsDirectoryA 2713->2718 2714 1658a CharPrevA 2715 157e8 GetFileAttributesA 2714->2715 2716 157fa CreateDirectoryA 2715->2716 2715->2718 2716->2718 2717 15827 SetFileAttributesA 2717->2718 2718->2701 2718->2702 2718->2704 2718->2708 2718->2709 2718->2711 2718->2713 2718->2714 2718->2717 2719 15467 49 API calls 2718->2719 2863 16952 2718->2863 2719->2718 2721 16249 2720->2721 2722 16268 2720->2722 2723 144b9 20 API calls 2721->2723 2724 1597d 34 API calls 2722->2724 2725 1625a 2723->2725 2726 1625f 2724->2726 2727 16285 GetLastError 2725->2727 2728 16ce0 4 API calls 2726->2728 2727->2726 2729 13013 2728->2729 2729->2453 2729->2470 2731 13b2d 2730->2731 2731->2731 2732 13b72 2731->2732 2733 13b53 2731->2733 2933 14fe0 2732->2933 2735 16517 24 API calls 2733->2735 2736 13b70 2735->2736 2737 16298 10 API calls 2736->2737 2738 13b7b 2736->2738 2737->2738 2738->2459 2740 12583 2739->2740 2741 12622 2739->2741 2743 125e8 RegOpenKeyExA 2740->2743 2744 1258b 2740->2744 2960 124e0 GetWindowsDirectoryA 2741->2960 2745 12609 RegQueryInfoKeyA 2743->2745 2746 125e3 2743->2746 2744->2746 2747 1259b RegOpenKeyExA 2744->2747 2748 125d1 RegCloseKey 2745->2748 2746->2464 2747->2746 2749 125bc RegQueryValueExA 2747->2749 2748->2746 2749->2748 2751 13bdb 2750->2751 2772 13bec 2750->2772 2753 1468f 7 API calls 2751->2753 2752 13c03 memset 2752->2772 2753->2772 2754 13d13 2755 144b9 20 API calls 2754->2755 2761 13d26 2755->2761 2757 16ce0 4 API calls 2758 13f60 2757->2758 2758->2468 2759 13d7b CompareStringA 2760 13fd7 2759->2760 2759->2772 2760->2761 3059 12267 2760->3059 2761->2757 2762 13fab 2765 144b9 20 API calls 2762->2765 2767 13fbe LocalFree 2765->2767 2767->2761 2768 1468f 7 API calls 2768->2772 2769 13f46 LocalFree 2769->2761 2770 13f1e LocalFree 2770->2760 2770->2772 2772->2752 2772->2754 2772->2759 2772->2760 2772->2761 2772->2762 2772->2768 2772->2769 2772->2770 2773 13cc7 CompareStringA 2772->2773 2784 13e10 2772->2784 2968 11ae8 2772->2968 3009 1202a memset memset RegCreateKeyExA 2772->3009 3035 13fef 2772->3035 2773->2772 2774 13f92 2777 144b9 20 API calls 2774->2777 2775 13e1f GetProcAddress 2776 13f64 2775->2776 2775->2784 2778 144b9 20 API calls 2776->2778 2779 13fa9 2777->2779 2780 13f75 FreeLibrary 2778->2780 2781 13f7c LocalFree 2779->2781 2780->2781 2782 16285 GetLastError 2781->2782 2783 13f8b 2782->2783 2783->2761 2784->2774 2784->2775 2785 13f40 FreeLibrary 2784->2785 2786 13eff FreeLibrary 2784->2786 3049 16495 2784->3049 2785->2769 2786->2770 2788 1468f 7 API calls 2787->2788 2789 13a55 LocalAlloc 2788->2789 2790 13a6c 2789->2790 2791 13a8e 2789->2791 2792 144b9 20 API calls 2790->2792 2793 1468f 7 API calls 2791->2793 2794 13a7d 2792->2794 2795 13a98 2793->2795 2796 16285 GetLastError 2794->2796 2797 13ac5 lstrcmpA 2795->2797 2798 13a9c 2795->2798 2805 12f64 2796->2805 2799 13ada 2797->2799 2800 13b0d LocalFree 2797->2800 2801 144b9 20 API calls 2798->2801 2802 16517 24 API calls 2799->2802 2800->2805 2803 13aad LocalFree 2801->2803 2804 13aec LocalFree 2802->2804 2803->2805 2804->2805 2805->2435 2805->2470 2807 1628f 2806->2807 2807->2470 2809 1468f 7 API calls 2808->2809 2810 1417d LocalAlloc 2809->2810 2811 14195 2810->2811 2812 141a8 2810->2812 2813 144b9 20 API calls 2811->2813 2814 1468f 7 API calls 2812->2814 2815 141a6 2813->2815 2816 141b5 2814->2816 2815->2470 2817 141c5 lstrcmpA 2816->2817 2818 141b9 2816->2818 2817->2818 2819 141e6 LocalFree 2817->2819 2820 144b9 20 API calls 2818->2820 2819->2815 2820->2819 2822 1171e _vsnprintf 2821->2822 2832 162c9 FindResourceA 2822->2832 2824 16353 2826 16ce0 4 API calls 2824->2826 2825 162cb LoadResource LockResource 2825->2824 2828 162e0 2825->2828 2827 151ca 2826->2827 2827->2670 2827->2671 2829 16355 FreeResource 2828->2829 2830 1631b FreeResource 2828->2830 2829->2824 2831 1171e _vsnprintf 2830->2831 2831->2832 2832->2824 2832->2825 2834 1548a 2833->2834 2835 1551a 2833->2835 2893 153a1 2834->2893 2904 158c8 2835->2904 2839 15495 2842 154c2 GetSystemInfo 2839->2842 2843 1550c 2839->2843 2847 15581 2839->2847 2840 16ce0 4 API calls 2844 1559a 2840->2844 2841 1553b CreateDirectoryA 2845 15577 2841->2845 2846 15547 2841->2846 2856 154da 2842->2856 2850 1658a CharPrevA 2843->2850 2844->2708 2857 12630 GetWindowsDirectoryA 2844->2857 2851 16285 GetLastError 2845->2851 2848 1554d 2846->2848 2847->2840 2848->2847 2849 1597d 34 API calls 2848->2849 2852 1555c 2849->2852 2850->2835 2853 1557c 2851->2853 2852->2847 2855 15568 RemoveDirectoryA 2852->2855 2853->2847 2854 1658a CharPrevA 2854->2843 2855->2847 2856->2843 2856->2854 2858 1266f 2857->2858 2859 1265e 2857->2859 2861 16ce0 4 API calls 2858->2861 2860 144b9 20 API calls 2859->2860 2860->2858 2862 12687 2861->2862 2862->2695 2862->2710 2864 169a1 2863->2864 2865 1696e GetDiskFreeSpaceA 2863->2865 2864->2718 2865->2864 2866 16989 MulDiv 2865->2866 2866->2864 2868 159bb 2867->2868 2869 159dd GetDiskFreeSpaceA 2867->2869 2870 144b9 20 API calls 2868->2870 2871 15ba1 memset 2869->2871 2872 15a21 MulDiv 2869->2872 2873 159cc 2870->2873 2874 16285 GetLastError 2871->2874 2872->2871 2875 15a50 GetVolumeInformationA 2872->2875 2876 16285 GetLastError 2873->2876 2877 15bbc GetLastError FormatMessageA 2874->2877 2878 15ab5 SetCurrentDirectoryA 2875->2878 2879 15a6e memset 2875->2879 2888 159d1 2876->2888 2880 15be3 2877->2880 2887 15acc 2878->2887 2881 16285 GetLastError 2879->2881 2882 144b9 20 API calls 2880->2882 2883 15a89 GetLastError FormatMessageA 2881->2883 2884 15bf5 SetCurrentDirectoryA 2882->2884 2883->2880 2884->2888 2885 16ce0 4 API calls 2886 15c11 2885->2886 2886->2695 2889 15b0a 2887->2889 2891 15b20 2887->2891 2888->2885 2890 144b9 20 API calls 2889->2890 2890->2888 2891->2888 2916 1268b 2891->2916 2895 153bf 2893->2895 2894 1171e _vsnprintf 2894->2895 2895->2894 2896 1658a CharPrevA 2895->2896 2899 15415 GetTempFileNameA 2895->2899 2897 153fa RemoveDirectoryA GetFileAttributesA 2896->2897 2897->2895 2898 1544f CreateDirectoryA 2897->2898 2898->2899 2900 1543a 2898->2900 2899->2900 2901 15429 DeleteFileA CreateDirectoryA 2899->2901 2902 16ce0 4 API calls 2900->2902 2901->2900 2903 15449 2902->2903 2903->2839 2905 158d8 2904->2905 2905->2905 2906 158df LocalAlloc 2905->2906 2907 158f3 2906->2907 2908 15919 2906->2908 2909 144b9 20 API calls 2907->2909 2911 1658a CharPrevA 2908->2911 2910 15906 2909->2910 2912 16285 GetLastError 2910->2912 2914 15534 2910->2914 2913 15931 CreateFileA LocalFree 2911->2913 2912->2914 2913->2910 2915 1595b CloseHandle GetFileAttributesA 2913->2915 2914->2841 2914->2848 2915->2910 2917 126e5 2916->2917 2918 126b9 2916->2918 2920 126ea 2917->2920 2921 1271f 2917->2921 2919 1171e _vsnprintf 2918->2919 2922 126cc 2919->2922 2923 1171e _vsnprintf 2920->2923 2924 126e3 2921->2924 2928 1171e _vsnprintf 2921->2928 2925 144b9 20 API calls 2922->2925 2927 126fd 2923->2927 2926 16ce0 4 API calls 2924->2926 2925->2924 2929 1276d 2926->2929 2930 144b9 20 API calls 2927->2930 2931 12735 2928->2931 2929->2888 2930->2924 2932 144b9 20 API calls 2931->2932 2932->2924 2934 1468f 7 API calls 2933->2934 2935 14ff5 FindResourceA LoadResource LockResource 2934->2935 2936 15020 2935->2936 2949 1515f 2935->2949 2937 15057 2936->2937 2938 15029 GetDlgItem ShowWindow GetDlgItem ShowWindow 2936->2938 2952 14efd 2937->2952 2938->2937 2941 15060 2943 144b9 20 API calls 2941->2943 2942 1507c 2944 15075 2942->2944 2947 144b9 20 API calls 2942->2947 2943->2944 2945 15110 FreeResource 2944->2945 2946 1511d 2944->2946 2945->2946 2948 1513a 2946->2948 2950 144b9 20 API calls 2946->2950 2947->2944 2948->2949 2951 1514c SendMessageA 2948->2951 2949->2736 2950->2948 2951->2949 2953 14f4a 2952->2953 2954 14fa1 2953->2954 2955 14980 25 API calls 2953->2955 2956 16ce0 4 API calls 2954->2956 2958 14f67 2955->2958 2957 14fc6 2956->2957 2957->2941 2957->2942 2958->2954 2959 14b60 FindCloseChangeNotification 2958->2959 2959->2954 2961 12510 2960->2961 2962 1255b 2960->2962 2964 1658a CharPrevA 2961->2964 2963 16ce0 4 API calls 2962->2963 2965 12569 2963->2965 2966 12522 WritePrivateProfileStringA _lopen 2964->2966 2965->2746 2966->2962 2967 12548 _llseek _lclose 2966->2967 2967->2962 2969 11b25 2968->2969 3073 11a84 2969->3073 2971 11b57 2972 1658a CharPrevA 2971->2972 2973 11b8c 2971->2973 2972->2973 2974 166c8 2 API calls 2973->2974 2975 11bd1 2974->2975 2976 11d73 2975->2976 2977 11bd9 CompareStringA 2975->2977 2979 166c8 2 API calls 2976->2979 2977->2976 2978 11bf7 GetFileAttributesA 2977->2978 2981 11d53 2978->2981 2982 11c0d 2978->2982 2980 11d7d 2979->2980 2983 11d81 CompareStringA 2980->2983 2984 11df8 LocalAlloc 2980->2984 2985 11d64 2981->2985 2982->2981 2986 11a84 2 API calls 2982->2986 2983->2984 2994 11d9b 2983->2994 2984->2985 2987 11e0b GetFileAttributesA 2984->2987 2988 144b9 20 API calls 2985->2988 2989 11c31 2986->2989 2990 11e45 2987->2990 2991 11e1d 2987->2991 2992 11d6c 2988->2992 2993 11c50 LocalAlloc 2989->2993 2997 11a84 2 API calls 2989->2997 3079 12aac 2990->3079 2991->2990 2996 16ce0 4 API calls 2992->2996 2993->2985 2995 11c67 GetPrivateProfileIntA GetPrivateProfileStringA 2993->2995 2994->2994 2998 11dbe LocalAlloc 2994->2998 3003 11cf8 2995->3003 3007 11cc2 2995->3007 3001 11ea1 2996->3001 2997->2993 2998->2985 3002 11de1 2998->3002 3001->2772 3006 1171e _vsnprintf 3002->3006 3004 11d23 3003->3004 3005 11d09 GetShortPathNameA 3003->3005 3008 1171e _vsnprintf 3004->3008 3005->3004 3006->3007 3007->2992 3008->3007 3010 12256 3009->3010 3011 1209a 3009->3011 3012 16ce0 4 API calls 3010->3012 3014 1171e _vsnprintf 3011->3014 3016 120dc 3011->3016 3013 12263 3012->3013 3013->2772 3015 120af RegQueryValueExA 3014->3015 3015->3011 3015->3016 3017 120e4 RegCloseKey 3016->3017 3018 120fb GetSystemDirectoryA 3016->3018 3017->3010 3019 1658a CharPrevA 3018->3019 3020 1211b LoadLibraryA 3019->3020 3021 12179 GetModuleFileNameA 3020->3021 3022 1212e GetProcAddress FreeLibrary 3020->3022 3024 121de RegCloseKey 3021->3024 3027 12177 3021->3027 3022->3021 3023 1214e GetSystemDirectoryA 3022->3023 3025 12165 3023->3025 3023->3027 3024->3010 3026 1658a CharPrevA 3025->3026 3026->3027 3027->3027 3028 121b7 LocalAlloc 3027->3028 3029 121cd 3028->3029 3030 121ec 3028->3030 3031 144b9 20 API calls 3029->3031 3032 1171e _vsnprintf 3030->3032 3031->3024 3033 12218 RegSetValueExA RegCloseKey LocalFree 3032->3033 3033->3010 3036 14016 CreateProcessA 3035->3036 3046 14106 3035->3046 3037 14041 WaitForSingleObject GetExitCodeProcess 3036->3037 3038 140c4 3036->3038 3047 14070 3037->3047 3041 16285 GetLastError 3038->3041 3039 16ce0 4 API calls 3040 14117 3039->3040 3040->2772 3043 140c9 GetLastError FormatMessageA 3041->3043 3045 144b9 20 API calls 3043->3045 3044 14096 CloseHandle CloseHandle 3044->3046 3048 140ba 3044->3048 3045->3046 3046->3039 3106 1411b 3047->3106 3048->3046 3050 164c2 3049->3050 3051 1658a CharPrevA 3050->3051 3052 164d8 GetFileAttributesA 3051->3052 3053 16501 LoadLibraryA 3052->3053 3054 164ea 3052->3054 3056 16508 3053->3056 3054->3053 3055 164ee LoadLibraryExA 3054->3055 3055->3056 3057 16ce0 4 API calls 3056->3057 3058 16513 3057->3058 3058->2784 3060 12381 3059->3060 3061 12289 RegOpenKeyExA 3059->3061 3062 16ce0 4 API calls 3060->3062 3061->3060 3063 122b1 RegQueryValueExA 3061->3063 3064 1238c 3062->3064 3065 12374 RegCloseKey 3063->3065 3066 122e6 memset GetSystemDirectoryA 3063->3066 3064->2761 3065->3060 3067 12321 3066->3067 3068 1230f 3066->3068 3070 1171e _vsnprintf 3067->3070 3069 1658a CharPrevA 3068->3069 3069->3067 3071 1233f RegSetValueExA 3070->3071 3071->3065 3074 11a9a 3073->3074 3077 11aaf 3074->3077 3078 11aba 3074->3078 3092 1667f 3074->3092 3076 1667f 2 API calls 3076->3077 3077->3076 3077->3078 3078->2971 3080 12ad4 GetModuleFileNameA 3079->3080 3081 12be6 3079->3081 3090 12b02 3080->3090 3082 16ce0 4 API calls 3081->3082 3083 12bf5 3082->3083 3083->2992 3084 12af1 IsDBCSLeadByte 3084->3090 3085 12b11 CharNextA CharUpperA 3087 12b8d CharUpperA 3085->3087 3085->3090 3086 12bca CharNextA 3088 12bd3 CharNextA 3086->3088 3087->3090 3088->3090 3090->3081 3090->3084 3090->3085 3090->3086 3090->3088 3090->3090 3091 12b43 CharPrevA 3090->3091 3097 165e8 3090->3097 3091->3090 3093 16689 3092->3093 3094 166a5 3093->3094 3095 16648 IsDBCSLeadByte 3093->3095 3096 16697 CharNextA 3093->3096 3094->3074 3095->3093 3096->3093 3098 165f4 3097->3098 3098->3098 3099 165fb CharPrevA 3098->3099 3100 16611 CharPrevA 3099->3100 3101 1660b 3100->3101 3102 1661e 3100->3102 3101->3100 3101->3102 3103 1663d 3102->3103 3104 16634 CharNextA 3102->3104 3105 16627 CharPrevA 3102->3105 3103->3090 3104->3103 3105->3103 3105->3104 3107 14132 3106->3107 3109 1412a 3106->3109 3110 11ea7 3107->3110 3109->3044 3111 11ed3 3110->3111 3112 11eba 3110->3112 3111->3109 3113 1256d 15 API calls 3112->3113 3113->3111 3115 11ff0 RegOpenKeyExA 3114->3115 3116 12026 3114->3116 3115->3116 3117 1200f RegDeleteValueA RegCloseKey 3115->3117 3116->2477 3117->3116 3227 16a20 __getmainargs 3228 119e0 3229 11a03 3228->3229 3230 11a24 GetDesktopWindow 3228->3230 3231 11a20 3229->3231 3233 11a16 EndDialog 3229->3233 3232 143d0 11 API calls 3230->3232 3235 16ce0 4 API calls 3231->3235 3234 11a33 LoadStringA SetDlgItemTextA MessageBeep 3232->3234 3233->3231 3234->3231 3236 11a7e 3235->3236 3237 16bef _XcptFilter 3238 17270 _except_handler4_common 3239 169b0 3240 169b5 3239->3240 3248 16fbe GetModuleHandleW 3240->3248 3242 169c1 __set_app_type __p__fmode __p__commode 3243 169f9 3242->3243 3244 16a02 __setusermatherr 3243->3244 3245 16a0e 3243->3245 3244->3245 3250 171ef _controlfp 3245->3250 3247 16a13 3249 16fcf 3248->3249 3249->3242 3250->3247 3251 134f0 3252 13504 3251->3252 3253 135b8 3251->3253 3252->3253 3254 1351b 3252->3254 3255 135be GetDesktopWindow 3252->3255 3256 13671 EndDialog 3253->3256 3257 13526 3253->3257 3259 1354f 3254->3259 3260 1351f 3254->3260 3258 143d0 11 API calls 3255->3258 3256->3257 3261 135d6 3258->3261 3259->3257 3263 13559 ResetEvent 3259->3263 3260->3257 3262 1352d TerminateThread EndDialog 3260->3262 3264 135e0 GetDlgItem SendMessageA GetDlgItem SendMessageA 3261->3264 3265 1361d SetWindowTextA CreateThread 3261->3265 3262->3257 3266 144b9 20 API calls 3263->3266 3264->3265 3265->3257 3268 13646 3265->3268 3267 13581 3266->3267 3269 1359b SetEvent 3267->3269 3271 1358a SetEvent 3267->3271 3270 144b9 20 API calls 3268->3270 3272 13680 4 API calls 3269->3272 3270->3253 3271->3257 3272->3253 3273 16ef0 3274 16f2d 3273->3274 3276 16f02 3273->3276 3275 16f27 ?terminate@ 3275->3274 3276->3274 3276->3275

                                                                                                                                                                                                                  Callgraph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  • Opacity -> Relevance
                                                                                                                                                                                                                  • Disassembly available
                                                                                                                                                                                                                  callgraph 0 Function_00017000 1 Function_00014200 2 Function_00013100 95 Function_000143D0 2->95 3 Function_00016C03 28 Function_0001724D 3->28 4 Function_00014702 52 Function_00011680 4->52 81 Function_000116B3 4->81 5 Function_00017208 6 Function_0001490C 7 Function_00013210 18 Function_00014224 7->18 47 Function_0001597D 7->47 59 Function_0001658A 7->59 83 Function_000144B9 7->83 90 Function_000158C8 7->90 7->95 8 Function_00017010 9 Function_00015C17 10 Function_00016517 10->83 11 Function_0001411B 76 Function_00011EA7 11->76 12 Function_00012F1D 15 Function_0001621E 12->15 19 Function_00013B26 12->19 24 Function_00013A3F 12->24 38 Function_00015164 12->38 41 Function_00014169 12->41 42 Function_0001256D 12->42 55 Function_00016285 12->55 12->59 71 Function_000155A0 12->71 73 Function_00013BA2 12->73 12->83 99 Function_00016CE0 12->99 103 Function_000151E5 12->103 13 Function_0001681F 13->99 116 Function_000166F9 13->116 14 Function_0001171E 15->47 15->55 15->83 15->99 16 Function_00017120 17 Function_00016A20 18->52 18->83 19->10 66 Function_00016298 19->66 97 Function_00014FE0 19->97 20 Function_0001202A 20->14 20->59 20->83 20->99 21 Function_00016E2A 113 Function_00016CF0 21->113 22 Function_00012630 22->83 22->99 23 Function_00014C37 24->10 24->55 60 Function_0001468F 24->60 24->83 25 Function_00016C3F 26 Function_00016F40 27 Function_00016648 29 Function_00014A50 30 Function_00013450 30->95 31 Function_00016952 32 Function_00017155 33 Function_00016F54 33->5 33->28 34 Function_00014B60 35 Function_00016A60 35->5 35->25 35->28 35->32 36 Function_00017060 35->36 117 Function_00012BFB 35->117 36->8 36->16 37 Function_00016760 38->60 38->66 38->83 39 Function_00015467 39->47 50 Function_00011781 39->50 39->52 39->55 39->59 68 Function_000153A1 39->68 39->90 39->99 40 Function_00012267 40->14 40->59 40->99 41->60 41->83 98 Function_000124E0 42->98 43 Function_0001476D 43->10 79 Function_000166AE 43->79 44 Function_00017270 45 Function_00012773 45->50 45->52 45->59 45->99 46 Function_0001487A 46->6 47->55 58 Function_0001268B 47->58 47->83 47->99 48 Function_00016C7D 49 Function_0001667F 49->27 51 Function_00014980 51->46 51->83 52->50 53 Function_00013680 54 Function_00016380 56 Function_00011A84 56->49 57 Function_00012A89 58->14 58->83 58->99 59->81 61 Function_00012390 61->52 61->59 61->61 61->81 61->99 62 Function_00011F90 62->76 62->83 62->99 63 Function_00016793 64 Function_00016495 64->50 64->59 64->99 65 Function_00014E99 65->52 66->14 66->99 67 Function_00015C9E 67->9 67->21 67->49 67->52 67->59 67->83 91 Function_000166C8 67->91 67->99 100 Function_000131E0 67->100 68->14 68->52 68->59 68->99 69 Function_00016FA1 70 Function_00014CA0 71->10 71->22 71->31 71->39 71->47 71->50 71->55 71->59 71->60 71->83 71->99 72 Function_000118A3 72->99 112 Function_000117EE 72->112 73->20 73->40 73->50 73->55 73->60 73->64 73->83 73->99 104 Function_00011AE8 73->104 108 Function_00013FEF 73->108 74 Function_000172A2 75 Function_00016FA5 75->28 76->42 77 Function_00012CAA 77->10 77->60 77->61 77->67 77->72 77->83 77->99 111 Function_000136EE 77->111 78 Function_00012AAC 78->52 92 Function_000117C8 78->92 78->99 106 Function_000165E8 78->106 80 Function_000169B0 80->0 84 Function_00016FBE 80->84 109 Function_000171EF 80->109 81->50 82 Function_000152B6 82->50 82->61 96 Function_00011FE1 82->96 82->99 82->106 83->13 83->14 83->52 89 Function_000167C9 83->89 83->99 84->33 85 Function_00014CC0 86 Function_00014BC0 87 Function_000130C0 88 Function_000163C0 88->50 88->59 88->99 89->63 90->52 90->55 90->59 90->83 91->27 93 Function_00014AD0 93->53 94 Function_00014CD0 94->4 94->23 94->34 94->43 94->51 94->65 94->99 101 Function_000147E0 94->101 95->99 97->60 97->83 118 Function_00014EFD 97->118 98->59 98->99 99->113 101->52 101->83 102 Function_000119E0 102->95 102->99 103->55 103->60 103->83 104->14 104->50 104->52 104->56 104->59 104->78 104->81 104->83 104->91 104->99 105 Function_000128E8 105->45 105->57 107 Function_000170EB 108->11 108->55 108->83 108->99 110 Function_00016BEF 111->13 111->57 111->83 111->89 111->99 111->105 112->99 114 Function_000134F0 114->53 114->83 114->95 115 Function_00016EF0 117->12 117->62 117->77 117->82 118->34 118->51 118->99 119 Function_000170FE

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 00013BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 36 13ba2-13bd9 37 13bdb-13bee call 1468f 36->37 38 13bfd-13bff 36->38 44 13d13-13d30 call 144b9 37->44 45 13bf4-13bf7 37->45 39 13c03-13c28 memset 38->39 41 13d35-13d48 call 11781 39->41 42 13c2e-13c40 call 1468f 39->42 48 13d4d-13d52 41->48 42->44 53 13c46-13c49 42->53 55 13f4d 44->55 45->38 45->44 51 13d54-13d6c call 1468f 48->51 52 13d9e-13db6 call 11ae8 48->52 51->44 65 13d6e-13d75 51->65 52->55 69 13dbc-13dc2 52->69 53->44 57 13c4f-13c56 53->57 59 13f4f-13f63 call 16ce0 55->59 61 13c60-13c65 57->61 62 13c58-13c5e 57->62 67 13c75-13c7c 61->67 68 13c67-13c6d 61->68 66 13c6e-13c73 62->66 71 13d7b-13d98 CompareStringA 65->71 72 13fda-13fe1 65->72 73 13c87-13c89 66->73 67->73 76 13c7e-13c82 67->76 68->66 74 13dc4-13dce 69->74 75 13de6-13de8 69->75 71->52 71->72 79 13fe3 call 12267 72->79 80 13fe8-13fea 72->80 73->48 82 13c8f-13c98 73->82 74->75 81 13dd0-13dd7 74->81 77 13f0b-13f15 call 13fef 75->77 78 13dee-13df5 75->78 76->73 95 13f1a-13f1c 77->95 85 13fab-13fd2 call 144b9 LocalFree 78->85 86 13dfb-13dfd 78->86 79->80 80->59 81->75 89 13dd9-13ddb 81->89 83 13cf1-13cf3 82->83 84 13c9a-13c9c 82->84 83->52 94 13cf9-13d11 call 1468f 83->94 91 13ca5-13ca7 84->91 92 13c9e-13ca3 84->92 85->55 86->77 93 13e03-13e0a 86->93 89->78 96 13ddd-13de1 call 1202a 89->96 91->55 100 13cad 91->100 99 13cb2-13cc5 call 1468f 92->99 93->77 101 13e10-13e19 call 16495 93->101 94->44 94->48 103 13f46-13f47 LocalFree 95->103 104 13f1e-13f2d LocalFree 95->104 96->75 99->44 112 13cc7-13ce8 CompareStringA 99->112 100->99 113 13f92-13fa9 call 144b9 101->113 114 13e1f-13e36 GetProcAddress 101->114 103->55 108 13f33-13f3b 104->108 109 13fd7-13fd9 104->109 108->39 109->72 112->83 115 13cea-13ced 112->115 126 13f7c-13f90 LocalFree call 16285 113->126 116 13f64-13f76 call 144b9 FreeLibrary 114->116 117 13e3c-13e80 114->117 115->83 116->126 120 13e82-13e87 117->120 121 13e8b-13e94 117->121 120->121 124 13e96-13e9b 121->124 125 13e9f-13ea2 121->125 124->125 128 13ea4-13ea9 125->128 129 13ead-13eb6 125->129 126->55 128->129 130 13ec1-13ec3 129->130 131 13eb8-13ebd 129->131 133 13ec5-13eca 130->133 134 13ece-13eec 130->134 131->130 133->134 137 13ef5-13efd 134->137 138 13eee-13ef3 134->138 139 13f40 FreeLibrary 137->139 140 13eff-13f09 FreeLibrary 137->140 138->137 139->103 140->104
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00013C11
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00013CDC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00018C42), ref: 00013D8F
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00013E26
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00018C42), ref: 00013EFF
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00018C42), ref: 00013F1F
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00018C42), ref: 00013F40
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00018C42), ref: 00013F47
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00018C42), ref: 00013F76
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00018C42), ref: 00013F80
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00018C42), ref: 00013FC2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                                                                                                                                  • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$smo
                                                                                                                                                                                                                  • API String ID: 1032054927-3762544297
                                                                                                                                                                                                                  • Opcode ID: 13d4ae2ffe3d07a20ce5f469ba6df89c4798205b77d10b92885e17dba4c734b8
                                                                                                                                                                                                                  • Instruction ID: bc2a735f0d3779d55ab170ab4ff5a7f132aee5263945acfe46b0c83b151614a8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13d4ae2ffe3d07a20ce5f469ba6df89c4798205b77d10b92885e17dba4c734b8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4B1E070A083019BE764DF24E845BEB76E5EB85700F10892DFA85D71E1DB78CAC5CB92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00011AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 141 11ae8-11b2c call 11680 144 11b3b-11b40 141->144 145 11b2e-11b39 141->145 146 11b46-11b61 call 11a84 144->146 145->146 149 11b63-11b65 146->149 150 11b9f-11bc2 call 11781 call 1658a 146->150 152 11b68-11b6d 149->152 159 11bc7-11bd3 call 166c8 150->159 152->152 154 11b6f-11b74 152->154 154->150 156 11b76-11b7b 154->156 157 11b83-11b86 156->157 158 11b7d-11b81 156->158 157->150 161 11b88-11b8a 157->161 158->157 160 11b8c-11b9d call 11680 158->160 166 11d73-11d7f call 166c8 159->166 167 11bd9-11bf1 CompareStringA 159->167 160->159 161->150 161->160 174 11d81-11d99 CompareStringA 166->174 175 11df8-11e09 LocalAlloc 166->175 167->166 168 11bf7-11c07 GetFileAttributesA 167->168 171 11d53-11d5e 168->171 172 11c0d-11c15 168->172 176 11d64-11d6e call 144b9 171->176 172->171 173 11c1b-11c33 call 11a84 172->173 187 11c50-11c61 LocalAlloc 173->187 188 11c35-11c38 173->188 174->175 178 11d9b-11da2 174->178 179 11dd4-11ddf 175->179 180 11e0b-11e1b GetFileAttributesA 175->180 192 11e94-11ea4 call 16ce0 176->192 183 11da5-11daa 178->183 179->176 184 11e67-11e73 call 11680 180->184 185 11e1d-11e1f 180->185 183->183 189 11dac-11db4 183->189 197 11e78-11e84 call 12aac 184->197 185->184 191 11e21-11e3e call 11781 185->191 187->179 196 11c67-11c72 187->196 193 11c40-11c4b call 11a84 188->193 194 11c3a 188->194 195 11db7-11dbc 189->195 191->197 207 11e40-11e43 191->207 193->187 194->193 195->195 202 11dbe-11dd2 LocalAlloc 195->202 203 11c74 196->203 204 11c79-11cc0 GetPrivateProfileIntA GetPrivateProfileStringA 196->204 211 11e89-11e92 197->211 202->179 208 11de1-11df3 call 1171e 202->208 203->204 209 11cc2-11ccc 204->209 210 11cf8-11d07 204->210 207->197 212 11e45-11e65 call 116b3 * 2 207->212 208->211 216 11cd3-11cf3 call 11680 * 2 209->216 217 11cce 209->217 213 11d23 210->213 214 11d09-11d21 GetShortPathNameA 210->214 211->192 212->197 219 11d28-11d2b 213->219 214->219 216->211 217->216 223 11d32-11d4e call 1171e 219->223 224 11d2d 219->224 223->211 224->223
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00011BE7
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00011BFE
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00011C57
                                                                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00011C88
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00011140,00000000,00000008,?), ref: 00011CB8
                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00011D1B
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                                                                                                                                  • String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                                                                                                                  • API String ID: 383838535-819679500
                                                                                                                                                                                                                  • Opcode ID: d9efc81146bbef27f4bb913e41b778efc32eca552772db64e4c46c48676ad1e3
                                                                                                                                                                                                                  • Instruction ID: f478fb531c7f694540cccaa9978ea6b251f191eb889674a7ada136108e960326
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9efc81146bbef27f4bb913e41b778efc32eca552772db64e4c46c48676ad1e3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7A17AB0A042186BEB689B24DC45FEA77A9EF45310F144294F795A32C1DBB49EC6CB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120libraryfileloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 510 12f1d-12f3d 511 12f6c-12f73 call 15164 510->511 512 12f3f-12f46 510->512 520 13041 511->520 521 12f79-12f80 call 155a0 511->521 514 12f48 call 151e5 512->514 515 12f5f-12f66 call 13a3f 512->515 522 12f4d-12f4f 514->522 515->511 515->520 525 13043-13053 call 16ce0 520->525 521->520 529 12f86-12fbe GetSystemDirectoryA call 1658a LoadLibraryA 521->529 522->520 523 12f55-12f5d 522->523 523->511 523->515 532 12fc0-12fd4 GetProcAddress 529->532 533 12ff7-13004 FreeLibrary 529->533 532->533 536 12fd6-12fee DecryptFileA 532->536 534 13017-13024 SetCurrentDirectoryA 533->534 535 13006-1300c 533->535 538 13054-1305a 534->538 539 13026-1303c call 144b9 call 16285 534->539 535->534 537 1300e call 1621e 535->537 536->533 545 12ff0-12ff5 536->545 549 13013-13015 537->549 541 13065-1306c 538->541 542 1305c call 13b26 538->542 539->520 547 1307c-13089 541->547 548 1306e-13075 call 1256d 541->548 551 13061-13063 542->551 545->533 553 130a1-130a9 547->553 554 1308b-13091 547->554 558 1307a 548->558 549->520 549->534 551->520 551->541 556 130b4-130b7 553->556 557 130ab-130ad 553->557 554->553 559 13093 call 13ba2 554->559 556->525 557->556 561 130af call 14169 557->561 558->547 564 13098-1309a 559->564 561->556 564->520 565 1309c 564->565 565->553
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00012F93
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00012FB2
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00012FC6
                                                                                                                                                                                                                  • DecryptFileA.ADVAPI32 ref: 00012FE6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00012FF8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0001301C
                                                                                                                                                                                                                    • Part of subcall function 000151E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00012F4D,?,00000002,00000000), ref: 00015201
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DecryptFileA$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 2126469477-3023407756
                                                                                                                                                                                                                  • Opcode ID: 3b15c55620060d9c058f2f4722169fd00f3553706eb978ffe59ba36eb6347378
                                                                                                                                                                                                                  • Instruction ID: de2cfa715fcf1a5119a27c96ffa6518ffdd355b7fca865f2081c3df58d695955
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b15c55620060d9c058f2f4722169fd00f3553706eb978ffe59ba36eb6347378
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5241A531A002059BFB72AB71AC556E673F9AF48750F408179EA41C2192EB78CFC4CB62
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012390 Relevance: 12.1, APIs: 8, Instructions: 93filestringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 708 12390-123b3 709 123b9-123bc 708->709 710 124cb-124df call 16ce0 708->710 709->710 712 123c2-12401 call 11680 call 116b3 FindFirstFileA 709->712 712->710 718 12407-1241f call 11680 712->718 721 12421-1242f lstrcmpA 718->721 722 12479-124a3 call 116b3 SetFileAttributesA DeleteFileA 718->722 723 12431-12443 lstrcmpA 721->723 724 124a9-124b7 FindNextFileA 721->724 722->724 723->724 727 12445-12477 call 116b3 call 1658a call 12390 723->727 724->718 726 124bd-124c5 FindClose RemoveDirectoryA 724->726 726->710 727->724
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,00018A3A,000111F4,00018A3A,00000000,?,?), ref: 000123F6
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,000111F8), ref: 00012427
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,000111FC), ref: 0001243B
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00012495
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 000124A3
                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(00000000,00000010), ref: 000124AF
                                                                                                                                                                                                                  • FindClose.KERNELBASE(00000000), ref: 000124BE
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(00018A3A), ref: 000124C5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836429354-0
                                                                                                                                                                                                                  • Opcode ID: 5fadaf4abfc274cafbb755e78abaa4275a9419866f77df4dce5efc686f18587e
                                                                                                                                                                                                                  • Instruction ID: 598d08efb04413fbfe67284edfbdebb3394ebfbfb760013a0fcca27e032a0a29
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fadaf4abfc274cafbb755e78abaa4275a9419866f77df4dce5efc686f18587e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A31C731305740ABD325DBA4CC89AEBB3ECAFC9305F04492DB655C7191EB38998DC752
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersion.KERNEL32(?,00000002,00000000,?,00016BB0,00010000,00000000,00000002,0000000A), ref: 00012C03
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(Kernel32.dll,?,00016BB0,00010000,00000000,00000002,0000000A), ref: 00012C18
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00012C28
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00016BB0,00010000,00000000,00000002,0000000A), ref: 00012C98
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Handle$AddressCloseModuleProcVersion
                                                                                                                                                                                                                  • String ID: HeapSetInformation$Kernel32.dll
                                                                                                                                                                                                                  • API String ID: 62482547-3460614246
                                                                                                                                                                                                                  • Opcode ID: 97852e7719cfaec14df5ee150d48d7e489aed108ab41d5d01db92665d7f8eff1
                                                                                                                                                                                                                  • Instruction ID: 2cac823cbaaa6a76787c4c2c07d35984bc8ec9d3813471a46231611d1dda10df
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97852e7719cfaec14df5ee150d48d7e489aed108ab41d5d01db92665d7f8eff1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55110C317013056BE7217BB5AC58AEF37E99B89794B048025FB04D7251DA39DCD1CAE1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185registrylibrarymemoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00012050
                                                                                                                                                                                                                  • memset.MSVCRT ref: 0001205F
                                                                                                                                                                                                                  • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0001208C
                                                                                                                                                                                                                    • Part of subcall function 0001171E: _vsnprintf.MSVCRT ref: 00011750
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000120C9
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000120EA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00012103
                                                                                                                                                                                                                  • LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00012122
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00012134
                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00012144
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0001215B
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0001218C
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000121C1
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000121E4
                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0001223D
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00012249
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00012250
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                                                                                                                                                  • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup1
                                                                                                                                                                                                                  • API String ID: 178549006-217856272
                                                                                                                                                                                                                  • Opcode ID: f609d328378ea1cbf63f7bd42d6acafb0d45f75c2fe8d36423531960f52209a8
                                                                                                                                                                                                                  • Instruction ID: fd6b60bf8fb759e12680741886a6e74acb6856e49a3cab13c685cbd76fbda9f9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f609d328378ea1cbf63f7bd42d6acafb0d45f75c2fe8d36423531960f52209a8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F513471A00218BBEB229B60DC49FFA777CEF59700F0081A4FA49E7151DA759EC98B60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000155A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 232 155a0-155d9 call 1468f LocalAlloc 235 155db-155f1 call 144b9 call 16285 232->235 236 155fd-1560c call 1468f 232->236 251 155f6-155f8 235->251 241 15632-15643 lstrcmpA 236->241 242 1560e-15630 call 144b9 LocalFree 236->242 245 15645 241->245 246 1564b-15659 LocalFree 241->246 242->251 245->246 249 15696-1569c 246->249 250 1565b-1565d 246->250 252 156a2-156a8 249->252 253 1589f-158b5 call 16517 249->253 254 15669 250->254 255 1565f-15667 250->255 256 158b7-158c7 call 16ce0 251->256 252->253 258 156ae-156c1 GetTempPathA 252->258 253->256 259 1566b-1567a call 15467 254->259 255->254 255->259 262 156f3-15711 call 11781 258->262 263 156c3-156c9 call 15467 258->263 270 15680-15691 call 144b9 259->270 271 1589b-1589d 259->271 273 15717-15729 GetDriveTypeA 262->273 274 1586c-15890 GetWindowsDirectoryA call 1597d 262->274 269 156ce-156d0 263->269 269->271 275 156d6-156df call 12630 269->275 270->251 271->256 278 15730-15740 GetFileAttributesA 273->278 279 1572b-1572e 273->279 274->262 288 15896 274->288 275->262 289 156e1-156ed call 15467 275->289 282 15742-15745 278->282 283 1577e-1578f call 1597d 278->283 279->278 279->282 286 15747-1574f 282->286 287 1576b 282->287 298 15791-1579e call 12630 283->298 299 157b2-157bf call 12630 283->299 291 15771-15779 286->291 292 15751-15753 286->292 287->291 288->271 289->262 289->271 296 15864-15866 291->296 292->291 295 15755-15762 call 16952 292->295 295->287 309 15764-15769 295->309 296->273 296->274 298->287 306 157a0-157b0 call 1597d 298->306 307 157c1-157cd GetWindowsDirectoryA 299->307 308 157d3-157f8 call 1658a GetFileAttributesA 299->308 306->287 306->299 307->308 314 1580a 308->314 315 157fa-15808 CreateDirectoryA 308->315 309->283 309->287 316 1580d-1580f 314->316 315->316 317 15811-15825 316->317 318 15827-1585c SetFileAttributesA call 11781 call 15467 316->318 317->296 318->271 323 1585e 318->323 323->296
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 000155CF
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00015638
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0001564C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00015620
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                    • Part of subcall function 00016285: GetLastError.KERNEL32(00015BBC), ref: 00016285
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 000156B9
                                                                                                                                                                                                                  • GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0001571E
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00015737
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 000157CD
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 000157EF
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00015802
                                                                                                                                                                                                                    • Part of subcall function 00012630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00012654
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00015830
                                                                                                                                                                                                                    • Part of subcall function 00016517: FindResourceA.KERNEL32(00010000,000007D6,00000005), ref: 0001652A
                                                                                                                                                                                                                    • Part of subcall function 00016517: LoadResource.KERNEL32(00010000,00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00016538
                                                                                                                                                                                                                    • Part of subcall function 00016517: DialogBoxIndirectParamA.USER32(00010000,00000000,00000547,000119E0,00000000), ref: 00016557
                                                                                                                                                                                                                    • Part of subcall function 00016517: FreeResource.KERNEL32(00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00016560
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00015878
                                                                                                                                                                                                                    • Part of subcall function 0001597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 000159A8
                                                                                                                                                                                                                    • Part of subcall function 0001597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 000159AF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                                                                                                                  • API String ID: 2436801531-1384155332
                                                                                                                                                                                                                  • Opcode ID: 770e267256f15c28cf3c8d6e8e58b03ebf3969db229aeae56a3e9224a9cc5085
                                                                                                                                                                                                                  • Instruction ID: 82a244638db8aed820118cb2d6a41c3c201b624401b54a9b45ce2bc6c02d10c9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 770e267256f15c28cf3c8d6e8e58b03ebf3969db229aeae56a3e9224a9cc5085
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF817B70B04A04DBEB61AB709C95BFE72ADAFD5305F004065F586EB1D2EF788EC18A51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183synchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 324 12caa-12d1c memset * 3 call 1468f 327 12ef3 324->327 328 12d22-12d27 324->328 330 12ef8-12f01 call 144b9 327->330 328->327 329 12d2d-12d59 CreateEventA SetEvent call 1468f 328->329 335 12d5b-12d78 call 144b9 329->335 336 12d7d-12d84 329->336 334 12f06 330->334 337 12f08-12f18 call 16ce0 334->337 335->334 339 12d8a-12da1 call 1468f 336->339 340 12e1f-12e2e call 15c9e 336->340 339->335 350 12da3-12dbb CreateMutexA 339->350 348 12e30-12e35 340->348 349 12e3a-12e41 340->349 348->330 352 12e43-12e4d call 12390 349->352 353 12e52-12e62 FindResourceA 349->353 350->340 351 12dbd-12dc8 GetLastError 350->351 351->340 354 12dca-12dd3 351->354 352->334 355 12e64-12e6c LoadResource 353->355 356 12e6e-12e75 353->356 359 12dd5-12de8 call 144b9 354->359 360 12dea-12e02 call 144b9 354->360 355->356 361 12e77 356->361 362 12e7d-12e84 356->362 370 12e04-12e1a CloseHandle 359->370 360->340 360->370 361->362 365 12e86-12e89 362->365 366 12e8b-12e94 call 136ee 362->366 365->337 366->334 372 12e96-12ea2 366->372 370->334 373 12eb0-12eba 372->373 374 12ea4-12ea8 372->374 376 12ebc-12ec3 373->376 377 12eef-12ef1 373->377 374->373 375 12eaa-12eae 374->375 375->373 375->377 376->377 378 12ec5-12ecc call 118a3 376->378 377->337 378->377 381 12ece-12eed call 16517 378->381 381->334 381->377
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00012CD9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00012CE9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00012CF9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00012D34
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00012D40
                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00012DAE
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00012DBD
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(smo,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00012E0A
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$smo
                                                                                                                                                                                                                  • API String ID: 1002816675-4137116347
                                                                                                                                                                                                                  • Opcode ID: 3974a2e8c4b7966d827b40908e848c43c270ea2e2d9f1506d063e114789a23b2
                                                                                                                                                                                                                  • Instruction ID: 378ba0ef396c4ceb52fbece2ce5b7fc9e5210fcb399dd5afcd7d6e460d863406
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3974a2e8c4b7966d827b40908e848c43c270ea2e2d9f1506d063e114789a23b2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4751D5707403016BF764A7209C5ABFA36D9EB46704F508039FA45D61E2DBBC89E2C766
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001597D Relevance: 19.7, APIs: 13, Instructions: 212windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 384 1597d-159b9 GetCurrentDirectoryA SetCurrentDirectoryA 385 159bb-159d8 call 144b9 call 16285 384->385 386 159dd-15a1b GetDiskFreeSpaceA 384->386 401 15c05-15c14 call 16ce0 385->401 388 15ba1-15bde memset call 16285 GetLastError FormatMessageA 386->388 389 15a21-15a4a MulDiv 386->389 398 15be3-15bfc call 144b9 SetCurrentDirectoryA 388->398 389->388 392 15a50-15a6c GetVolumeInformationA 389->392 395 15ab5-15aca SetCurrentDirectoryA 392->395 396 15a6e-15ab0 memset call 16285 GetLastError FormatMessageA 392->396 400 15acc-15ad1 395->400 396->398 413 15c02 398->413 404 15ad3-15ad8 400->404 405 15ae2-15ae4 400->405 404->405 409 15ada-15ae0 404->409 406 15ae7-15af8 405->406 407 15ae6 405->407 412 15af9-15afb 406->412 407->406 409->400 409->405 414 15b05-15b08 412->414 415 15afd-15b03 412->415 416 15c04 413->416 417 15b20-15b27 414->417 418 15b0a-15b1b call 144b9 414->418 415->412 415->414 416->401 420 15b52-15b5b 417->420 421 15b29-15b33 417->421 418->413 424 15b62-15b6d 420->424 421->420 423 15b35-15b50 421->423 423->424 425 15b76-15b7d 424->425 426 15b6f-15b74 424->426 428 15b83 425->428 429 15b7f-15b81 425->429 427 15b85 426->427 430 15b87-15b94 call 1268b 427->430 431 15b96-15b9f 427->431 428->427 429->427 430->416 431->416
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 000159A8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 000159AF
                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00015A13
                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,?,00000400), ref: 00015A40
                                                                                                                                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00015A64
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00015A7C
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00015A98
                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00015AA5
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00015BFC
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                    • Part of subcall function 00016285: GetLastError.KERNEL32(00015BBC), ref: 00016285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4237285672-0
                                                                                                                                                                                                                  • Opcode ID: 541736618a84f3e86ca8866dafd020c4522ad734c7013ae105a5e7359b70505e
                                                                                                                                                                                                                  • Instruction ID: 4f33157d501fc4d4479387d7c629403137ead844119f5f39c27cea577bef65c9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 541736618a84f3e86ca8866dafd020c4522ad734c7013ae105a5e7359b70505e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E07182B1A0160CAFEB669F60CCC5BFA77BCEB88341F5481A9F40596181DB349EC58B61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 434 14fe0-1501a call 1468f FindResourceA LoadResource LockResource 437 15161-15163 434->437 438 15020-15027 434->438 439 15057-1505e call 14efd 438->439 440 15029-15051 GetDlgItem ShowWindow GetDlgItem ShowWindow 438->440 443 15060-15077 call 144b9 439->443 444 1507c-150b4 439->444 440->439 448 15107-1510e 443->448 449 150b6-150da 444->449 450 150e8-15104 call 144b9 444->450 451 15110-15117 FreeResource 448->451 452 1511d-1511f 448->452 461 15106 449->461 462 150dc 449->462 450->461 451->452 454 15121-15127 452->454 455 1513a-15141 452->455 454->455 458 15129-15135 call 144b9 454->458 459 15143-1514a 455->459 460 1515f 455->460 458->455 459->460 464 1514c-15159 SendMessageA 459->464 460->437 461->448 465 150e3-150e6 462->465 464->460 465->450 465->461
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00014FFE
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 00015006
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0001500D
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000000,00000842), ref: 00015030
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00015037
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000841,00000005), ref: 0001504A
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00015051
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00015111
                                                                                                                                                                                                                  • SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00015159
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: *MEMCAB$CABINET
                                                                                                                                                                                                                  • API String ID: 1305606123-2642027498
                                                                                                                                                                                                                  • Opcode ID: eb251b7f0cea8598dad2a09de0f412877f74ecbe8fae53838baff9c739cb5e56
                                                                                                                                                                                                                  • Instruction ID: 583f6cb9ed06ea5485322380383c0d96a75c66a75965c3b2bf3b9a4dc9a34905
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb251b7f0cea8598dad2a09de0f412877f74ecbe8fae53838baff9c739cb5e56
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A31D8B1741701BBF7615B61ADC9FE73A9CFB49755F048014FA01AA1A1DBBC8CC08661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000144B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160memorywindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 466 144b9-144f8 467 14679-1467b 466->467 468 144fe-14525 LoadStringA 466->468 471 1467c-1468c call 16ce0 467->471 469 14562-14568 468->469 470 14527-1452e call 1681f 468->470 472 1456b-14570 469->472 480 14530-1453d call 167c9 470->480 481 1453f 470->481 472->472 476 14572-1457c 472->476 478 145c9-145cb 476->478 479 1457e-14580 476->479 484 14607-14617 LocalAlloc 478->484 485 145cd-145cf 478->485 482 14583-14588 479->482 480->481 486 14544-14554 MessageBoxA 480->486 481->486 482->482 489 1458a-1458c 482->489 487 1455a-1455d 484->487 488 1461d-14628 call 11680 484->488 491 145d2-145d7 485->491 486->487 487->471 495 1462d-1463d MessageBeep call 1681f 488->495 493 1458f-14594 489->493 491->491 494 145d9-145ed LocalAlloc 491->494 493->493 496 14596-145ad LocalAlloc 493->496 494->487 497 145f3-14605 call 1171e 494->497 504 1463f-1464c call 167c9 495->504 505 1464e 495->505 496->487 500 145af-145c7 call 1171e 496->500 497->495 500->495 504->505 508 14653-14677 MessageBoxA LocalFree 504->508 505->508 508->471
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 000145A3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 000145E3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 0001460D
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00014630
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,00000000,smo,00000000), ref: 00014666
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0001466F
                                                                                                                                                                                                                    • Part of subcall function 0001681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0001686E
                                                                                                                                                                                                                    • Part of subcall function 0001681F: GetSystemMetrics.USER32(0000004A), ref: 000168A7
                                                                                                                                                                                                                    • Part of subcall function 0001681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 000168CC
                                                                                                                                                                                                                    • Part of subcall function 0001681F: RegQueryValueExA.ADVAPI32(?,00011140,00000000,?,?,0000000C), ref: 000168F4
                                                                                                                                                                                                                    • Part of subcall function 0001681F: RegCloseKey.ADVAPI32(?), ref: 00016902
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
                                                                                                                                                                                                                  • String ID: LoadString() Error. Could not load string resource.$smo
                                                                                                                                                                                                                  • API String ID: 3244514340-2161240188
                                                                                                                                                                                                                  • Opcode ID: c9235bf193e683e091daf339e3d26711bfae60c6c43374999ee6b253845e2342
                                                                                                                                                                                                                  • Instruction ID: ef705ded984e68045199871a704b4b4a889428ce9a5d539bec70ec3a439ea750
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9235bf193e683e091daf339e3d26711bfae60c6c43374999ee6b253845e2342
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C511972A00215AFDB219F28CC48BFA7BB9EF46304F144194FD09A7252DB36DE85CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000153A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001171E: _vsnprintf.MSVCRT ref: 00011750
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000153FB
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015402
                                                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001541F
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001542B
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015434
                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015452
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$IXP$IXP%03d.TMP
                                                                                                                                                                                                                  • API String ID: 1082909758-957705000
                                                                                                                                                                                                                  • Opcode ID: bee82df384ffdd318ee012b123ec882458ca6f7a8a69f6ef80a72e2e2c40a1fa
                                                                                                                                                                                                                  • Instruction ID: 108760ccdd8d633ea8c310931c90e5615df1d61abcfe88555e89570260c018ee
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bee82df384ffdd318ee012b123ec882458ca6f7a8a69f6ef80a72e2e2c40a1fa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD112771701614B7E3259B369C49FEF366DEFC6322F004125F656D7191CE788AC286A2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00015467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 582 15467-15484 583 1548a-15490 call 153a1 582->583 584 1551c-15528 call 11680 582->584 587 15495-15497 583->587 588 1552d-15539 call 158c8 584->588 589 15581-15583 587->589 590 1549d-154c0 call 11781 587->590 597 1553b-15545 CreateDirectoryA 588->597 598 1554d-15552 588->598 592 1558d-1559d call 16ce0 589->592 599 154c2-154d8 GetSystemInfo 590->599 600 1550c-1551a call 1658a 590->600 602 15577-1557c call 16285 597->602 603 15547 597->603 604 15585-1558b 598->604 605 15554-15557 call 1597d 598->605 609 154da-154dd 599->609 610 154fe 599->610 600->588 602->589 603->598 604->592 611 1555c-1555e 605->611 615 154f7-154fc 609->615 616 154df-154e2 609->616 612 15503-15507 call 1658a 610->612 611->604 617 15560-15566 611->617 612->600 615->612 619 154f0-154f5 616->619 620 154e4-154e7 616->620 617->589 621 15568-15575 RemoveDirectoryA 617->621 619->612 620->600 622 154e9-154ee 620->622 621->589 622->612
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000154C9
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001553D
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001556F
                                                                                                                                                                                                                    • Part of subcall function 000153A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000153FB
                                                                                                                                                                                                                    • Part of subcall function 000153A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015402
                                                                                                                                                                                                                    • Part of subcall function 000153A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001541F
                                                                                                                                                                                                                    • Part of subcall function 000153A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001542B
                                                                                                                                                                                                                    • Part of subcall function 000153A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015434
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$alpha$i386$mips$ppc
                                                                                                                                                                                                                  • API String ID: 1979080616-772166365
                                                                                                                                                                                                                  • Opcode ID: 93cb2ac90aa389b50c860ec23532f5156fb7734e1679a60fa40fc09d94284fc2
                                                                                                                                                                                                                  • Instruction ID: 4309e8fdc5188a67c50bdcb1b981b961e11b8ba3c00a51afd923391c7b719795
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93cb2ac90aa389b50c860ec23532f5156fb7734e1679a60fa40fc09d94284fc2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A313870B00E04EBDB249B2A9C645FE77EBABC5746B04412AB901CB185DB748FC18791
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 623 1256d-1257d 624 12583-12589 623->624 625 12622-12627 call 124e0 623->625 627 125e8-12607 RegOpenKeyExA 624->627 628 1258b 624->628 633 12629-1262f 625->633 629 125e3-125e6 627->629 630 12609-12620 RegQueryInfoKeyA 627->630 632 12591-12595 628->632 628->633 629->633 635 125d1-125dd RegCloseKey 630->635 632->633 634 1259b-125ba RegOpenKeyExA 632->634 634->629 636 125bc-125cb RegQueryValueExA 634->636 635->629 636->635
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00014096,00014096,?,00011ED3,00000001,00000000,?,?,00014137,?), ref: 000125B2
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00014096,?,00011ED3,00000001,00000000,?,?,00014137,?,00014096), ref: 000125CB
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,00011ED3,00000001,00000000,?,?,00014137,?,00014096), ref: 000125DD
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00014096,00014096,?,00011ED3,00000001,00000000,?,?,00014137,?), ref: 000125FF
                                                                                                                                                                                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00014096,00000000,00000000,00000000,00000000,?,00011ED3,00000001,00000000), ref: 0001261A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager, xrefs: 000125A8
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 000125F5
                                                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 000125C3
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: OpenQuery$CloseInfoValue
                                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                                                                                                                                  • API String ID: 2209512893-559176071
                                                                                                                                                                                                                  • Opcode ID: 4a966d674c514498911ac9dd139882f92321b88e48a8e356636d99595f92bcc6
                                                                                                                                                                                                                  • Instruction ID: f8c27fff8efd152456202893a213256c39a13a1c20b51c1e9674b4b967b1e6a5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a966d674c514498911ac9dd139882f92321b88e48a8e356636d99595f92bcc6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85114F35A42228FBAB219B919C49DFFBEBCEF067A1F108055B908A2051D6345F94D6A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00016A60 Relevance: 13.6, APIs: 9, Instructions: 138sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 637 16a60-16a91 call 17155 call 17208 GetStartupInfoW 643 16a93-16aa2 637->643 644 16aa4-16aa6 643->644 645 16abc-16abe 643->645 646 16aa8-16aad 644->646 647 16aaf-16aba Sleep 644->647 648 16abf-16ac5 645->648 646->648 647->643 649 16ad1-16ad7 648->649 650 16ac7-16acf _amsg_exit 648->650 652 16b05 649->652 653 16ad9-16af2 call 16c3f 649->653 651 16b0b-16b11 650->651 654 16b13-16b24 _initterm 651->654 655 16b2e-16b30 651->655 652->651 653->651 660 16af4-16b00 653->660 654->655 658 16b32-16b39 655->658 659 16b3b-16b42 655->659 658->659 661 16b44-16b51 call 17060 659->661 662 16b67-16b71 659->662 664 16c39-16c3e call 1724d 660->664 661->662 673 16b53-16b65 661->673 663 16b74-16b79 662->663 666 16bc5-16bc8 663->666 667 16b7b-16b7d 663->667 674 16bd6-16be3 _ismbblead 666->674 675 16bca-16bd3 666->675 670 16b94-16b98 667->670 671 16b7f-16b81 667->671 679 16ba0-16ba2 670->679 680 16b9a-16b9e 670->680 671->666 678 16b83-16b85 671->678 673->662 676 16be5-16be6 674->676 677 16be9-16bed 674->677 675->674 676->677 677->663 681 16c1e-16c25 677->681 678->670 682 16b87-16b8a 678->682 683 16ba3-16bbc call 12bfb 679->683 680->683 686 16c32 681->686 687 16c27-16c2d _cexit 681->687 682->670 685 16b8c-16b92 682->685 683->681 690 16bbe-16bbf exit 683->690 685->678 686->664 687->686 690->666
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00017155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00017182
                                                                                                                                                                                                                    • Part of subcall function 00017155: GetCurrentProcessId.KERNEL32 ref: 00017191
                                                                                                                                                                                                                    • Part of subcall function 00017155: GetCurrentThreadId.KERNEL32 ref: 0001719A
                                                                                                                                                                                                                    • Part of subcall function 00017155: GetTickCount.KERNEL32 ref: 000171A3
                                                                                                                                                                                                                    • Part of subcall function 00017155: QueryPerformanceCounter.KERNEL32(?), ref: 000171B8
                                                                                                                                                                                                                  • GetStartupInfoW.KERNEL32(?,000172B8,00000058), ref: 00016A7F
                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 00016AB4
                                                                                                                                                                                                                  • _amsg_exit.MSVCRT ref: 00016AC9
                                                                                                                                                                                                                  • _initterm.MSVCRT ref: 00016B1D
                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00016B49
                                                                                                                                                                                                                  • exit.KERNELBASE ref: 00016BBF
                                                                                                                                                                                                                  • _ismbblead.MSVCRT ref: 00016BDA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836923961-0
                                                                                                                                                                                                                  • Opcode ID: d9e7cd3fb62ba6fe14085e37f8e7af5a502d53ed4ec6637ccfd34975bd705969
                                                                                                                                                                                                                  • Instruction ID: 8165287ccf398e4dab085cbda7416b6737ce4a06c6c3ba319425bf8fd26bb322
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9e7cd3fb62ba6fe14085e37f8e7af5a502d53ed4ec6637ccfd34975bd705969
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4141E331A493249BEB619B68DC847EA77F4BB49720F54801AE941E7291CF7A49C1CB81
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000158C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74memoryfileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 691 158c8-158d5 692 158d8-158dd 691->692 692->692 693 158df-158f1 LocalAlloc 692->693 694 158f3-15901 call 144b9 693->694 695 15919-15959 call 11680 call 1658a CreateFileA LocalFree 693->695 699 15906-15910 call 16285 694->699 695->699 705 1595b-1596c CloseHandle GetFileAttributesA 695->705 704 15912-15918 699->704 705->699 706 1596e-15970 705->706 706->699 707 15972-1597b 706->707 707->704
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00015534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000158E7
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00015534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015943
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00015534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001594D
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00015534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0001595C
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00015534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00015963
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$TMP4351$.TMP
                                                                                                                                                                                                                  • API String ID: 747627703-3033780695
                                                                                                                                                                                                                  • Opcode ID: 02dc8a764f58483e27e788daf47496fde0da3cfbd885ace65fb58b8fcfad4ed6
                                                                                                                                                                                                                  • Instruction ID: d308940ecfee19104f4938b78bc5c949edd8e6e60da4591ac66c9a3be0aaea51
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02dc8a764f58483e27e788daf47496fde0da3cfbd885ace65fb58b8fcfad4ed6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62117831701210BBD7241F796C4CBDB7E9DDF86370F104615F509D71C1CA74888182A0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013FEF Relevance: 10.6, APIs: 7, Instructions: 97processsynchronizationwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00014033
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00014049
                                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 0001405C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0001409C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 000140A8
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 000140DC
                                                                                                                                                                                                                  • FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 000140E9
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3183975587-0
                                                                                                                                                                                                                  • Opcode ID: f5589b5363562c1a95212045e21dd6dcc2b781bb62f9d8d9202c2020027ad256
                                                                                                                                                                                                                  • Instruction ID: e00d16904957bc101ec542d24f88d476288bea275036314ae46a8c55ae8c250c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5589b5363562c1a95212045e21dd6dcc2b781bb62f9d8d9202c2020027ad256
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A31C231641208BBFB619B65DC48FEB77BCEB99714F1081A9FA09D2171C6344DC5CB51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000151E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00012F4D,?,00000002,00000000), ref: 00015201
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00015250
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                    • Part of subcall function 00016285: GetLastError.KERNEL32(00015BBC), ref: 00016285
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$UPROMPT
                                                                                                                                                                                                                  • API String ID: 957408736-2980973527
                                                                                                                                                                                                                  • Opcode ID: 5003bdb7c0257e1dca1c58745c2575240842d13fc1c956447e62a8a1418867f6
                                                                                                                                                                                                                  • Instruction ID: 827b76470dc5370f428e68f2854fa218895283a472318bc5e084fa5c3d074a46
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5003bdb7c0257e1dca1c58745c2575240842d13fc1c956447e62a8a1418867f6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7911E2B6341601BBE3256BB15C59BFB71EDDBCB781B108029F702DA191DA7D8C804125
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000152B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(031B46A8,00000080,?,00000000), ref: 000152F2
                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(031B46A8), ref: 000152FA
                                                                                                                                                                                                                  • LocalFree.KERNEL32(031B46A8,?,00000000), ref: 00015305
                                                                                                                                                                                                                  • LocalFree.KERNEL32(031B46A8), ref: 0001530C
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(000111FC,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 00015363
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00015334
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                                                                                  • API String ID: 2833751637-3647970563
                                                                                                                                                                                                                  • Opcode ID: 06088c0bbe653cd7c336331a9c6214762f17a2c956ae28baf4b8cb888d863457
                                                                                                                                                                                                                  • Instruction ID: 8e4a26da8f076bf64c89fd0f536578122f8c441a241396dbfa03a2d9866606c4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06088c0bbe653cd7c336331a9c6214762f17a2c956ae28baf4b8cb888d863457
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7221CF31501604DBFB629B10EC19BE977F1BF48741F448119E9525B1A1CBB95EC8CB81
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00011FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0001538C,?,?,0001538C), ref: 00012005
                                                                                                                                                                                                                  • RegDeleteValueA.KERNELBASE(0001538C,wextract_cleanup1,?,?,0001538C), ref: 00012017
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(0001538C,?,?,0001538C), ref: 00012020
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup1
                                                                                                                                                                                                                  • API String ID: 849931509-1592051331
                                                                                                                                                                                                                  • Opcode ID: d1561be01e3ad79b864bc9d7d708ed97bd1117ac63128eba5834cff07efc8e5a
                                                                                                                                                                                                                  • Instruction ID: eb38d3a501df9c01f966700ec36ff1faa95700e11d0f360a97fb62ccc998447c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1561be01e3ad79b864bc9d7d708ed97bd1117ac63128eba5834cff07efc8e5a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7E04F30651318FFEB238B90ED0EFD97B6AFB09780F104294BA04A0061EB655B94D705
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00014DB5
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00014DDD
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFileItemText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                                                                                  • API String ID: 3625706803-3647970563
                                                                                                                                                                                                                  • Opcode ID: 728dc179ce776ecb56691ddad1c060caaa71b0641a0bdd82626972817e792187
                                                                                                                                                                                                                  • Instruction ID: 89eaf10ce3cea328a45571cbbf02891510d132cbe7d7c11dc9032d0131171fe3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 728dc179ce776ecb56691ddad1c060caaa71b0641a0bdd82626972817e792187
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 654122362041029BCF619F38ED546FA73E5EB46300F148668E886972B6DF32DECAC750
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014C37 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00014C54
                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00014C66
                                                                                                                                                                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00014C7E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Time$File$DateLocal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2071732420-0
                                                                                                                                                                                                                  • Opcode ID: 441ed525d6692fb928ffaf9ac68978064fcf92c8399c798f15daa614b0ec54b9
                                                                                                                                                                                                                  • Instruction ID: 248f36c73c0d881b31ba4ced96d8dd8a66f15f4335e26b661d1a363fd0eca90a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 441ed525d6692fb928ffaf9ac68978064fcf92c8399c798f15daa614b0ec54b9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8F0907260220EBFABA5DFB4DC48DFB77ECEB09340B44852AA915C1060EA34DA54C7A0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001487A Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00014A23,?,00014F67,*MEMCAB,00008000,00000180), ref: 000148DE
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00014F67,*MEMCAB,00008000,00000180), ref: 00014902
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: 84340913bc7c57d2349b981d06811926b4b47971a5d9ccced87b1234569e3170
                                                                                                                                                                                                                  • Instruction ID: ceb00fc85732a46c8b3692fb679c29cdc4ea2f4d8a8206ebbd775ec8917d869d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84340913bc7c57d2349b981d06811926b4b47971a5d9ccced87b1234569e3170
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF016DA3E1257026F36440294C88FFB555CCBD6734F1B0335BDEAEB1E2D5644C8481E0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014AD0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00013680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0001369F
                                                                                                                                                                                                                    • Part of subcall function 00013680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000136B2
                                                                                                                                                                                                                    • Part of subcall function 00013680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000136DA
                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00014B05
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1084409-0
                                                                                                                                                                                                                  • Opcode ID: 4fa1f9e6e5468fee362d010e396edc10e38bfa2ed62f2d8122a64fa8bdc4c1fe
                                                                                                                                                                                                                  • Instruction ID: 0b55bf3e539b068d125da6a6ca5e3a710efd1e87f42c7717d0e37599f0438d4c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fa1f9e6e5468fee362d010e396edc10e38bfa2ed62f2d8122a64fa8bdc4c1fe
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF019E31200301ABEB148F69EC95BE67799FB44725F08C229FA399B1F0CB74D991CB81
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001658A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(00018B3E,00018B3F,00000001,00018B3E,-00000003,?,000160EC,00011140,?), ref: 000165BA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharPrev
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 122130370-0
                                                                                                                                                                                                                  • Opcode ID: 08e85c8499f3533c7efd88565b067d47db7a736b8a4fe6c83a8ea412075e3b64
                                                                                                                                                                                                                  • Instruction ID: 6b6427319ab5560c4db75a08001ccb417ec025e8ea75f3ad327008e569e35661
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08e85c8499f3533c7efd88565b067d47db7a736b8a4fe6c83a8ea412075e3b64
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F04C322086509BD332091D9C84BEABFDF9B86350F28416EE8DAC3205CA678CC583A4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001621E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0001623F
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                    • Part of subcall function 00016285: GetLastError.KERNEL32(00015BBC), ref: 00016285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryErrorLastLoadMessageStringWindows
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 381621628-0
                                                                                                                                                                                                                  • Opcode ID: e97f6ff4f75564a7bcdd9d319785c40b6fb7ff9565e8021db1f7c414731e3fd9
                                                                                                                                                                                                                  • Instruction ID: 63597a20bcd05984f1fc8590e6f284a78cd1e60603c8d0b4ba5a068917bd779e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e97f6ff4f75564a7bcdd9d319785c40b6fb7ff9565e8021db1f7c414731e3fd9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0B4B0700208ABE750EB748D02BFE36ACDB58700F404069B985D6092DD7599C48650
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014B60 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(9ED71965,00000000,00000000,?,00014FA1,00000000), ref: 00014B98
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                                                                                  • Opcode ID: 7a654157df530afa6a55d5437343bc6fa18231fbfb8efab2f4fc0f3db57ed4ce
                                                                                                                                                                                                                  • Instruction ID: 3a0ac85703c1bb57f6fd5115a6b40cc1d7921d2c37e087d1d10c4418094e786c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a654157df530afa6a55d5437343bc6fa18231fbfb8efab2f4fc0f3db57ed4ce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93F01271904B089E47718F39EC416D2BBE5AB95360330892E946ED21E0EB30A541CB90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000166AE Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00014777,?,00014E38,?), ref: 000166B1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                  • Opcode ID: 480bebe9f6e61223939d2f469bdf820e40c8f0f88d59e1a5fe2001b4a828ca2d
                                                                                                                                                                                                                  • Instruction ID: df77a20faa83ed61f8558026a608247e13aa536d6c3ec9deac34f6f11163feff
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 480bebe9f6e61223939d2f469bdf820e40c8f0f88d59e1a5fe2001b4a828ca2d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BB0927A322440426A6146756C295963881A7C233A7E45B90F032C01E0CA3FD886D004
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014CA0 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000000,?), ref: 00014CAA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3761449716-0
                                                                                                                                                                                                                  • Opcode ID: e2bb94a66ef4ca4b61b3a901a977222664dd94995e5eedfb63f9f20751343d54
                                                                                                                                                                                                                  • Instruction ID: 76404eeea42d10b2e0227b3a1a6b9cd48d37cd8c646624cfac3fa57fa9484505
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2bb94a66ef4ca4b61b3a901a977222664dd94995e5eedfb63f9f20751343d54
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB0123214420CB7DF011FC2EC09FC53F1DE7C9771F144000F60C45050CA7694108696
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014CC0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2979337801-0
                                                                                                                                                                                                                  • Opcode ID: d7ec2222dd030d2c4db66f0d21173fe845790534aed597e43a1a0fe57ea19e72
                                                                                                                                                                                                                  • Instruction ID: f4ee5e9a7c459ae18270315611c77e3d3bf68f8746d0aad33c41577edd3b6084
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7ec2222dd030d2c4db66f0d21173fe845790534aed597e43a1a0fe57ea19e72
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15B0123100010CB78F011B42EC088853F1DD7C53607014010F50C41022CB3B98118585
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 00015C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharNextA.USER32(?,00000000,?,?), ref: 00015CEE
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00018B3E,00000104,00000000,?,?), ref: 00015DFC
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00015E3E
                                                                                                                                                                                                                  • CharUpperA.USER32(-00000052), ref: 00015EE1
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00015F6F
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00015FA7
                                                                                                                                                                                                                  • CharUpperA.USER32(-0000004E), ref: 00016008
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 000160AA
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00011140,00000000,00000040,00000000), ref: 000161F1
                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 000161F8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                                                                                                                                  • String ID: "$"$:$RegServer
                                                                                                                                                                                                                  • API String ID: 1203814774-25366791
                                                                                                                                                                                                                  • Opcode ID: 8639c349c082c8a9f68e3cac475a595aef50b7549921c46c82734bff8b85b655
                                                                                                                                                                                                                  • Instruction ID: 8fcd440db3161ca76850930948ab5f1c29553c8366079f29d6e56d28fdd0eb00
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8639c349c082c8a9f68e3cac475a595aef50b7549921c46c82734bff8b85b655
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAD16E71E04A44DFEF758B389C487FA3BE1AB96306F1480A9D486CE191DB758EC6CB41
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00011F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94shutdownCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00011EFB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00011F02
                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00011FD3
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process$CurrentExitOpenTokenWindows
                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                  • API String ID: 2795981589-3733053543
                                                                                                                                                                                                                  • Opcode ID: 8cdf72723e6782aec81ce0a3ca95ddb4a202e63817b00ad048a843f18b64093e
                                                                                                                                                                                                                  • Instruction ID: dc5707c1536350e765d08ca3acaeda3feacfb69c5d737eb5470abae297d45f7d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8cdf72723e6782aec81ce0a3ca95ddb4a202e63817b00ad048a843f18b64093e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B421B771B412057BEB345BE19C4AFFF76F8EB85B10F10402DFB06D6181D77988829661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00016CF0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00016E26,00011000), ref: 00016CF7
                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(00016E26,?,00016E26,00011000), ref: 00016D00
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000409,?,00016E26,00011000), ref: 00016D0B
                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00016E26,00011000), ref: 00016D12
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3231755760-0
                                                                                                                                                                                                                  • Opcode ID: c2baa4172adf60f19ef56e2864cfaf41547824103cadae11efe6d24d5578c001
                                                                                                                                                                                                                  • Instruction ID: 8311c80f14b37f995de4bdccf8dc1c6cbe6958a7a40546238f4c246d9e171b33
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2baa4172adf60f19ef56e2864cfaf41547824103cadae11efe6d24d5578c001
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28D0C932201108BBFB012BE1EC0CA993F28EB4A226F448000F71982020CA3A44518B52
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000003E8,00018598,00000200), ref: 00013271
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 000133E2
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 000133F7
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00013410
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000836), ref: 00013426
                                                                                                                                                                                                                  • EnableWindow.USER32(00000000), ref: 0001342D
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 0001343F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$smo
                                                                                                                                                                                                                  • API String ID: 2418873061-2951332106
                                                                                                                                                                                                                  • Opcode ID: 8dde3b0b32e0a511bbb9f0b0b5899a7259c07953c45cd70916422feaa3ea12e7
                                                                                                                                                                                                                  • Instruction ID: d3f4b2e741696e84f49550371b18c6d6852ecdf06b63fb6267b82cf0f118990a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dde3b0b32e0a511bbb9f0b0b5899a7259c07953c45cd70916422feaa3ea12e7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39514930381250BBFB725B355C4CFFF3D99EB86B54F508028F645A61D1CAB89BC19265
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000134F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • TerminateThread.KERNEL32(00000000), ref: 00013535
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00013541
                                                                                                                                                                                                                  • ResetEvent.KERNEL32 ref: 0001355F
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00011140,00000000,00000020,00000004), ref: 00013590
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 000135C7
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 000135F1
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 000135F8
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 00013610
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 00013617
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00013623
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,00018798), ref: 00013637
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 00013671
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 2406144884-2762499640
                                                                                                                                                                                                                  • Opcode ID: 10aa53ef5b1ee62ecb49404d7cde5c0ff8cf5c605d14c39611679fbf70da7528
                                                                                                                                                                                                                  • Instruction ID: 79e0a6ad8b189ecefaad7e86f95da2d6fdcc78954231998728b41a82064eeeb8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10aa53ef5b1ee62ecb49404d7cde5c0ff8cf5c605d14c39611679fbf70da7528
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6931B071340300BBE7601F25AC4DEEA3AAAE786B55F50C529F602952B1CA798A80CB51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00014236
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0001424C
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,000000C3), ref: 00014263
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0001427A
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,000188C0,?,00000001), ref: 0001429F
                                                                                                                                                                                                                  • CharPrevA.USER32(000188C0,00031181,?,00000001), ref: 000142C2
                                                                                                                                                                                                                  • CharPrevA.USER32(000188C0,00000000,?,00000001), ref: 000142D6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00014391
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 000143A5
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                                                                                                                                  • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                                                                                                                  • API String ID: 1865808269-1731843650
                                                                                                                                                                                                                  • Opcode ID: 5a4ca3765966a0bf4c400db95841bb2211ac56164124f256587ea6bfbe7236c2
                                                                                                                                                                                                                  • Instruction ID: a5ba9629f5e809a887049cca920d9af7a2fcbee9aae33a97b8e9c7cb8aefaffd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a4ca3765966a0bf4c400db95841bb2211ac56164124f256587ea6bfbe7236c2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34410974A01204AFE7129F74DC84AFE7BF4EB4A344F548169E951A7261CF788EC1C761
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharUpperA.USER32(199D070E,00000000,00000000,00000000), ref: 000127A8
                                                                                                                                                                                                                  • CharNextA.USER32(0000054D), ref: 000127B5
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 000127BC
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012829
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00011140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012852
                                                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012870
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 000128A0
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 000128AA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 000128B9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 000127E4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                                                                                                                  • API String ID: 2659952014-2428544900
                                                                                                                                                                                                                  • Opcode ID: 1ce709faff5e7adf5fbf040b8377974814900e44e9c42c653cbdc37a428133a7
                                                                                                                                                                                                                  • Instruction ID: b6adaa1e9066b8b6c0fbeabe7e7806ec65cd6c6a408be2a976ce616f36940192
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ce709faff5e7adf5fbf040b8377974814900e44e9c42c653cbdc37a428133a7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD41C671A0112CAFEB259B64DC85AFE77BDEF59700F0040A9F649D2101DB748ED58FA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 000122A3
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000000,?,?,00000001), ref: 000122D8
                                                                                                                                                                                                                  • memset.MSVCRT ref: 000122F5
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00012305
                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0001236E
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0001237A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00012321
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00012299
                                                                                                                                                                                                                  • rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0001232D
                                                                                                                                                                                                                  • wextract_cleanup1, xrefs: 0001227C, 000122CD, 00012363
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Value$CloseDirectoryOpenQuerySystemmemset
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup1
                                                                                                                                                                                                                  • API String ID: 3027380567-2601155950
                                                                                                                                                                                                                  • Opcode ID: a698cfb72ff3f051d102caef6be3ae40ab6accdbe677547ec511999fb1602e02
                                                                                                                                                                                                                  • Instruction ID: 6af20fce3a99c9f5889b85beebc35e72253d5284003ca64b987703507caefe59
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a698cfb72ff3f051d102caef6be3ae40ab6accdbe677547ec511999fb1602e02
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3831D971A002186BDB62DB51DC49FEA7B7CEF19740F0041E5F94DAA051DA75AFC8CB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 0001313B
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0001314B
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000834), ref: 0001316A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00013176
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 0001317D
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000834), ref: 00013185
                                                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000FC), ref: 00013190
                                                                                                                                                                                                                  • SetWindowLongA.USER32(00000000,000000FC,000130C0), ref: 000131A3
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 000131CA
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 3785188418-2762499640
                                                                                                                                                                                                                  • Opcode ID: a843ad2e8f62d4807e77b950a07e3b76e870e738d0c1dce630cb9798750548da
                                                                                                                                                                                                                  • Instruction ID: 0e6745a3f3b044ef1b86414ece8f8a6775e1c4468cd6554003ecabab48b97d3a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a843ad2e8f62d4807e77b950a07e3b76e870e738d0c1dce630cb9798750548da
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF119331745211BFFB215F68AC0CBDA3AA4FB4B731F108610F915951E0DBB99781C752
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000118A3 Relevance: 16.6, APIs: 11, Instructions: 112memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000117EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,000118DD), ref: 0001181A
                                                                                                                                                                                                                    • Part of subcall function 000117EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0001182C
                                                                                                                                                                                                                    • Part of subcall function 000117EE: AllocateAndInitializeSid.ADVAPI32(000118DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,000118DD), ref: 00011855
                                                                                                                                                                                                                    • Part of subcall function 000117EE: FreeSid.ADVAPI32(?,?,?,?,000118DD), ref: 00011883
                                                                                                                                                                                                                    • Part of subcall function 000117EE: FreeLibrary.KERNEL32(00000000,?,?,?,000118DD), ref: 0001188A
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 000118EB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 000118F2
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0001190A
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00011918
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,?,?), ref: 0001192C
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00011944
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00011964
                                                                                                                                                                                                                  • EqualSid.ADVAPI32(00000004,?), ref: 0001197A
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 0001199C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 000119A3
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 000119AD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2168512254-0
                                                                                                                                                                                                                  • Opcode ID: 08c9a06bc448cbd9e7d779e7f964b1df1cf38be9300976ca549b867a65a27f92
                                                                                                                                                                                                                  • Instruction ID: 5deeba9e1d57de4d9c4edef6d2b49d3b772e2fe3fe430ac56539ab166b44a548
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08c9a06bc448cbd9e7d779e7f964b1df1cf38be9300976ca549b867a65a27f92
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67314B71A01209AFEB219FA5EC48AFFBBBCFF09310B108429E655D2150E7349945CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                  • memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: TITLE$smo
                                                                                                                                                                                                                  • API String ID: 3370778649-3033500379
                                                                                                                                                                                                                  • Opcode ID: 112ce5483c37da93d07ab3bc17bf9e6fa33d7e75532cf88a30f657f7b02d2c76
                                                                                                                                                                                                                  • Instruction ID: dbede054a15ce49cacb6b147080f1e4375b5e94fff8fbaf5d0693c2903a16b9b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 112ce5483c37da93d07ab3bc17bf9e6fa33d7e75532cf88a30f657f7b02d2c76
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD01D1323412007BF3221BA56C0CFEB3E6CDBCBB62F048014FA49861A0C9B58C8482A3
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000117EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71librarymemoryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,000118DD), ref: 0001181A
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0001182C
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(000118DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,000118DD), ref: 00011855
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?,?,?,?,000118DD), ref: 00011883
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,000118DD), ref: 0001188A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                                                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 4204503880-1888249752
                                                                                                                                                                                                                  • Opcode ID: c5737588e0721b0101b17b0551964026e87ae3e3e728c549d2039306b6e8d4bd
                                                                                                                                                                                                                  • Instruction ID: dbd6f347968c96415e488bec198467d0b774ffb9b86425cb8e8fe2a1ae73e5f4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5737588e0721b0101b17b0551964026e87ae3e3e728c549d2039306b6e8d4bd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB119331F01209ABEB159FA4DC49AFEBBB8EF49700F104169FA05E3290DB759D418B91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00013490
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0001349A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 000134B2
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000838), ref: 000134C4
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 000134CB
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 000134D8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$DialogText$DesktopForegroundItem
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 852535152-2762499640
                                                                                                                                                                                                                  • Opcode ID: 15ca3a1665242aa75c890bd71ea8eeb0aeef5c1bc15ef92afde53717b9138fc6
                                                                                                                                                                                                                  • Instruction ID: c17e49d3622568c9008d814815b0ef1da21a0e95681698ef27f62dd58cc587e7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15ca3a1665242aa75c890bd71ea8eeb0aeef5c1bc15ef92afde53717b9138fc6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7018831741114BBE7675FA5DC0C9ED3B95EB46711F108010F946865A0C779AFC1D785
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00012AAC Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00012AE6
                                                                                                                                                                                                                  • IsDBCSLeadByte.KERNEL32(00000000), ref: 00012AF2
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00012B12
                                                                                                                                                                                                                  • CharUpperA.USER32 ref: 00012B1E
                                                                                                                                                                                                                  • CharPrevA.USER32(?,?), ref: 00012B55
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00012BD4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 571164536-0
                                                                                                                                                                                                                  • Opcode ID: 3e4655b4027f93fcef395f8d5550e820c75c4e4c137320f93d9e76241f87ca94
                                                                                                                                                                                                                  • Instruction ID: 5c9a2337b9687c51b691658fd514f255357608580e1aae420bb0ffdf8d5d8db0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e4655b4027f93fcef395f8d5550e820c75c4e4c137320f93d9e76241f87ca94
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB4128346082456FEB569F349C94AFE7BB99F57310F14409AE8C283202DB394ED6CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000143D0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 000143F1
                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0001440B
                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00014423
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0001442E
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0001443A
                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00014447
                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 000144A2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$CapsDeviceRect$Release
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2212493051-0
                                                                                                                                                                                                                  • Opcode ID: c768ec627c60d92e2a0cacd12f4f8f38290868ab55e86dead3b145257aa0b370
                                                                                                                                                                                                                  • Instruction ID: a8efde53df0ef129c73dbb80162b31f160088a2ea9ec527d78544c18d47f866d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c768ec627c60d92e2a0cacd12f4f8f38290868ab55e86dead3b145257aa0b370
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8313A32F01119AFDB15CFB8DD899EEBBB5EB89310F154169F805F3250EA34AD458BA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00016298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001171E: _vsnprintf.MSVCRT ref: 00011750
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,000151CA,00000004,00000024,00012F71,?,00000002,00000000), ref: 000162CD
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,000151CA,00000004,00000024,00012F71,?,00000002,00000000), ref: 000162D4
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,000151CA,00000004,00000024,00012F71,?,00000002,00000000), ref: 0001631B
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00016345
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,000151CA,00000004,00000024,00012F71,?,00000002,00000000), ref: 00016357
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                                                                                                                                                  • String ID: UPDFILE%lu
                                                                                                                                                                                                                  • API String ID: 2922116661-2329316264
                                                                                                                                                                                                                  • Opcode ID: 4176a143ea890e2c28a726cd9508c980e048c352fc073692936e55ba4ab93d16
                                                                                                                                                                                                                  • Instruction ID: 1167ce5f8dae18cedc85e4d86da3d31420f2fe9b2377cf28c34d2bb82ffcc70a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4176a143ea890e2c28a726cd9508c980e048c352fc073692936e55ba4ab93d16
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59210571A00219AFEB159FA4DC459FFBB78FF49710B104119FA12A3241DB7A9E42CBE0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0001681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0001686E
                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004A), ref: 000168A7
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 000168CC
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00011140,00000000,?,?,0000000C), ref: 000168F4
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00016902
                                                                                                                                                                                                                    • Part of subcall function 000166F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0001691A), ref: 00016741
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Control Panel\Desktop\ResourceLocale, xrefs: 000168C2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                                                                                                                  • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                                                                                                                                  • API String ID: 3346862599-1109908249
                                                                                                                                                                                                                  • Opcode ID: 74f7a6c158a60116269ce10c3edd925d0e3804dc126ebb6a27d84c9e046aa4a5
                                                                                                                                                                                                                  • Instruction ID: 856bb375470a19e8177755a5ea1277ae967c69cbe4d97b729c79be842eb2e8f2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f7a6c158a60116269ce10c3edd925d0e3804dc126ebb6a27d84c9e046aa4a5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71314F31A01218AFEB218B61DC45BEAB7BCFB45764F0081A5E94DA6240DB399AC5CB52
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00012F64,?,00000002,00000000), ref: 00013A5D
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00013AB3
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                    • Part of subcall function 00016285: GetLastError.KERNEL32(00015BBC), ref: 00016285
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(<None>,00000000), ref: 00013AD0
                                                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00013B13
                                                                                                                                                                                                                    • Part of subcall function 00016517: FindResourceA.KERNEL32(00010000,000007D6,00000005), ref: 0001652A
                                                                                                                                                                                                                    • Part of subcall function 00016517: LoadResource.KERNEL32(00010000,00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00016538
                                                                                                                                                                                                                    • Part of subcall function 00016517: DialogBoxIndirectParamA.USER32(00010000,00000000,00000547,000119E0,00000000), ref: 00016557
                                                                                                                                                                                                                    • Part of subcall function 00016517: FreeResource.KERNEL32(00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00016560
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00013100,00000000,00000000), ref: 00013AF4
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$LICENSE
                                                                                                                                                                                                                  • API String ID: 2414642746-383193767
                                                                                                                                                                                                                  • Opcode ID: 22c0ac70f7d3963e87cb589525e58717c9e4b8762963b04f02a2b038862e80fc
                                                                                                                                                                                                                  • Instruction ID: 5baf9654e038635a950245d23f30bfee65bab8753d0324f8b49016424ead2229
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22c0ac70f7d3963e87cb589525e58717c9e4b8762963b04f02a2b038862e80fc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D11DA30301301BBE7245F32AC19EDB3AF9DFDA700B10C02EB645D65B2DA7D89808665
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000124E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00012506
                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0001252C
                                                                                                                                                                                                                  • _lopen.KERNEL32(?,00000040), ref: 0001253B
                                                                                                                                                                                                                  • _llseek.KERNEL32(00000000,00000000,00000002), ref: 0001254C
                                                                                                                                                                                                                  • _lclose.KERNEL32(00000000), ref: 00012555
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                                                                                                                                  • String ID: wininit.ini
                                                                                                                                                                                                                  • API String ID: 3273605193-4206010578
                                                                                                                                                                                                                  • Opcode ID: f4f64ba178ed351f8bc731da354c5d11adc6bf84dc703e35886abe68083f5304
                                                                                                                                                                                                                  • Instruction ID: 365592f3dc9533659f487f589ce9360a1d34c0efc15ff87252292f47043a47f9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4f64ba178ed351f8bc731da354c5d11adc6bf84dc703e35886abe68083f5304
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE01F132B011186BD720DB659C4CEEFBBBDEB8A760F004154FA48D3190DE788E81CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000136EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00013723
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 000139C3
                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,smo,00000030), ref: 000139F1
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$BeepVersion
                                                                                                                                                                                                                  • String ID: 3$smo
                                                                                                                                                                                                                  • API String ID: 2519184315-1411035656
                                                                                                                                                                                                                  • Opcode ID: 1e87f7dfc8be74e784689e81ccac182d2d6982a4a9d4e69b9faba72f9cfe00ba
                                                                                                                                                                                                                  • Instruction ID: 851f8b07d733bd5d2bf38e71b530bda419eccd350cd2ea4bfc0d7b977d36a49b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e87f7dfc8be74e784689e81ccac182d2d6982a4a9d4e69b9faba72f9cfe00ba
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8791E2B1A012249FEBB58B24CC817EAB7E4AF45304F5540A9D8899B291DB758FC1CB42
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00016495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 000164DF
                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 000164F9
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 00016502
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad$AttributesFile
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$advpack.dll
                                                                                                                                                                                                                  • API String ID: 438848745-875882553
                                                                                                                                                                                                                  • Opcode ID: 1c9aa34d278539c24c3834b6a77a80a25188abc167159287c46bd7d26a34bcbf
                                                                                                                                                                                                                  • Instruction ID: e65e5c5ae81ff6182c3be54250cf0caa8e5e87afff0d6c65bccc41c37104ae88
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c9aa34d278539c24c3834b6a77a80a25188abc167159287c46bd7d26a34bcbf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24014430A00108ABEB60DBA0DC49FEE7379EB55310F400194F985931C0CF75AECACB41
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000128E8 Relevance: 7.6, APIs: 5, Instructions: 140memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00012A6F
                                                                                                                                                                                                                    • Part of subcall function 00012773: CharUpperA.USER32(199D070E,00000000,00000000,00000000), ref: 000127A8
                                                                                                                                                                                                                    • Part of subcall function 00012773: CharNextA.USER32(0000054D), ref: 000127B5
                                                                                                                                                                                                                    • Part of subcall function 00012773: CharNextA.USER32(00000000), ref: 000127BC
                                                                                                                                                                                                                    • Part of subcall function 00012773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012829
                                                                                                                                                                                                                    • Part of subcall function 00012773: RegQueryValueExA.ADVAPI32(?,00011140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012852
                                                                                                                                                                                                                    • Part of subcall function 00012773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00012870
                                                                                                                                                                                                                    • Part of subcall function 00012773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 000128A0
                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00013938,?,?,?,?,-00000005), ref: 00012958
                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00013938,?,?,?,?,-00000005,?), ref: 00012969
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00013938,?,?,?,?,-00000005,?), ref: 00012A21
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00012A81
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3949799724-0
                                                                                                                                                                                                                  • Opcode ID: b2af4b5ce00967381a67a2f5d9349e6525eea3eea4371116825b1cea10d45a29
                                                                                                                                                                                                                  • Instruction ID: d4b5b7329e6c5bc75252bef5c394d839bbb1a6a3050e53ae3db35c0f33cc0944
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2af4b5ce00967381a67a2f5d9349e6525eea3eea4371116825b1cea10d45a29
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A513831E00219DFDB21CF98D884AEEBBB5FF48710F54816AE901E3211DB359991DB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00014169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146A0
                                                                                                                                                                                                                    • Part of subcall function 0001468F: SizeofResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146A9
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000146C3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LoadResource.KERNEL32(00000000,00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146CC
                                                                                                                                                                                                                    • Part of subcall function 0001468F: LockResource.KERNEL32(00000000,?,00012D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000146D3
                                                                                                                                                                                                                    • Part of subcall function 0001468F: memcpy_s.MSVCRT ref: 000146E5
                                                                                                                                                                                                                    • Part of subcall function 0001468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000146EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,000130B4), ref: 00014189
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,000130B4), ref: 000141E7
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$FINISHMSG
                                                                                                                                                                                                                  • API String ID: 3507850446-3091758298
                                                                                                                                                                                                                  • Opcode ID: 0eed46b8fb5436bee358af11d17a692707b179739ec73977b783796d92c7335d
                                                                                                                                                                                                                  • Instruction ID: 4df4fa83cd84486b37571e435c35553879a48f61c278b75661818353118fdc45
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0eed46b8fb5436bee358af11d17a692707b179739ec73977b783796d92c7335d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2401F4B57013143BF32916658C96FFB218EDBDA795F114025BB05E21A1DA6CCCC141B5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00017155 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00017182
                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00017191
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0001719A
                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 000171A3
                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 000171B8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                                                                                  • Opcode ID: ebf9e2f2173f71e01f85a2cb1e09941b6bb2483af1a93045743d414f9f3661ed
                                                                                                                                                                                                                  • Instruction ID: aa2eb2f07cfc3b167d88436c718998a73551f36a74cdbc8392ee45992f2f6ccb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ebf9e2f2173f71e01f85a2cb1e09941b6bb2483af1a93045743d414f9f3661ed
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F114C71E05208EFDB50DFF8DA48ADEB7F4EF08310F618855E805E7210EA389B048B41
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000119E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00011A18
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00011A24
                                                                                                                                                                                                                  • LoadStringA.USER32(?,?,00000200), ref: 00011A4F
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00011A62
                                                                                                                                                                                                                  • MessageBeep.USER32(000000FF), ref: 00011A6A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1273765764-0
                                                                                                                                                                                                                  • Opcode ID: 39e84f61f29795b4368fe772a80a92cc868b760fb875ef263a882859697f437c
                                                                                                                                                                                                                  • Instruction ID: 5d5a2e6a8d06464e268fa166d81a1829422319236c92b926deb010f15c96a36d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39e84f61f29795b4368fe772a80a92cc868b760fb875ef263a882859697f437c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4211A131601109AFEB15EF64DD08AEE7BB8EF4A310F508154FA1292191DA359E41CB96
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000163C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0001642D
                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0001645B
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0001647A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000163EB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                                                                                  • API String ID: 1065093856-3647970563
                                                                                                                                                                                                                  • Opcode ID: fdc22740418aa86d34994e9ac2a2751c044ef944705df22abcd8ae44f73bcfc9
                                                                                                                                                                                                                  • Instruction ID: 8bc7e55e3da186b987a9e308aeb55cd9da390f85e61caf124b3f46c5b9823db7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fdc22740418aa86d34994e9ac2a2751c044ef944705df22abcd8ae44f73bcfc9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A721D571A0021CABD711DF25DC85FEB77BCEB49314F1041A9F585A3280DAB55DC48FA4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000147E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00014E6F), ref: 000147EA
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00014823
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00014847
                                                                                                                                                                                                                    • Part of subcall function 000144B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00014518
                                                                                                                                                                                                                    • Part of subcall function 000144B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00014554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00014851
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$Alloc$FreeLoadMessageString
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
                                                                                                                                                                                                                  • API String ID: 359063898-3647970563
                                                                                                                                                                                                                  • Opcode ID: 85f5e95461371c46243d888c8848c22309452afe7350ead36e35aa84774555a5
                                                                                                                                                                                                                  • Instruction ID: 74948eb131712c39df4d9f40cd42f8ac53fd1156990907c2bd106db09824c643
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85f5e95461371c46243d888c8848c22309452afe7350ead36e35aa84774555a5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D11125796046416FE7659F249C58FFA3B9AEBC6310B04C519FE82CB351DE39CC468760
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00016517 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00010000,000007D6,00000005), ref: 0001652A
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00010000,00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00016538
                                                                                                                                                                                                                  • DialogBoxIndirectParamA.USER32(00010000,00000000,00000547,000119E0,00000000), ref: 00016557
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00012EE8,00000000,000119E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00016560
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1214682469-0
                                                                                                                                                                                                                  • Opcode ID: 10db9d4931ac8f7fc9f2655e53874226c3a2afdfa6a85aca37c6a67615aba979
                                                                                                                                                                                                                  • Instruction ID: 1b0b029d5df046b30732f676a1984c447b696254eb50e7a6babc4535886cd64f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10db9d4931ac8f7fc9f2655e53874226c3a2afdfa6a85aca37c6a67615aba979
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12012672200A05BBEB215F699C08DFB7AADEB8A360F004125FE0093150DB76CD9086A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00013680 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0001369F
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000136B2
                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 000136CB
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000136DA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2776232527-0
                                                                                                                                                                                                                  • Opcode ID: 7bdd6005debeb3bc886d9db62613e4f6fa495786ef6c0edd674099d069ae3acf
                                                                                                                                                                                                                  • Instruction ID: 5b9cbbad3a53da24ed08495ab02475281159e0a00f20235bf4d09eb4370d5962
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bdd6005debeb3bc886d9db62613e4f6fa495786ef6c0edd674099d069ae3acf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12018472A01214BBDB304AA65C48EEB7ABCEB86B10F004129F905E2184D5648684C660
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000165E8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00012B33), ref: 00016602
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00016612
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00016629
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 00016635
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Prev$Next
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3260447230-0
                                                                                                                                                                                                                  • Opcode ID: d71a82c647f4fb91618df8be2a061bda14bcc0806414d597f4fd392f01776f48
                                                                                                                                                                                                                  • Instruction ID: 2e8ad497a9fca298d3b0a87713f07d46aa806e3e79dc8b17fa0279058f5bb7d4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d71a82c647f4fb91618df8be2a061bda14bcc0806414d597f4fd392f01776f48
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FF028321065507EE7331F288C888FBBFDCDF87355B2941AFE89582101D61B0D868661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000169B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00016FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00016FC5
                                                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 000169C2
                                                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 000169D8
                                                                                                                                                                                                                  • __p__commode.MSVCRT ref: 000169E6
                                                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 00016A07
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000001.00000002.2614761400.0000000000011000.00000020.00000001.01000000.00000004.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614739685.0000000000010000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614782170.0000000000018000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000001.00000002.2614801946.000000000001C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_10000_Ey3OF47.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1632413811-0
                                                                                                                                                                                                                  • Opcode ID: 59f18e8595e521986476af39db1d1c513337b81864eb5e790c13028ff08c036c
                                                                                                                                                                                                                  • Instruction ID: 4dc73675414fbccb590a863c9233d6a3b780e452b76166d55a35944e37ff84b0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59f18e8595e521986476af39db1d1c513337b81864eb5e790c13028ff08c036c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BF09874609301DFE759AB78ED4A6D43BA2FB09331B10C619F865862E2CF3E8685CB11
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:27.5%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:971
                                                                                                                                                                                                                  Total number of Limit Nodes:46
                                                                                                                                                                                                                  execution_graph 3129 ba69b0 3130 ba69b5 3129->3130 3138 ba6fbe GetModuleHandleW 3130->3138 3132 ba69c1 __set_app_type __p__fmode __p__commode 3133 ba69f9 3132->3133 3134 ba6a0e 3133->3134 3135 ba6a02 __setusermatherr 3133->3135 3140 ba71ef _controlfp 3134->3140 3135->3134 3137 ba6a13 3139 ba6fcf 3138->3139 3139->3132 3140->3137 3141 ba34f0 3142 ba3504 3141->3142 3143 ba35b8 3141->3143 3142->3143 3144 ba351b 3142->3144 3145 ba35be GetDesktopWindow 3142->3145 3146 ba3526 3143->3146 3147 ba3671 EndDialog 3143->3147 3149 ba354f 3144->3149 3150 ba351f 3144->3150 3163 ba43d0 6 API calls 3145->3163 3147->3146 3149->3146 3153 ba3559 ResetEvent 3149->3153 3150->3146 3152 ba352d TerminateThread EndDialog 3150->3152 3152->3146 3156 ba44b9 20 API calls 3153->3156 3154 ba361d SetWindowTextA CreateThread 3154->3146 3157 ba3646 3154->3157 3155 ba35e0 GetDlgItem SendMessageA GetDlgItem SendMessageA 3155->3154 3158 ba3581 3156->3158 3160 ba44b9 20 API calls 3157->3160 3159 ba359b SetEvent 3158->3159 3161 ba358a SetEvent 3158->3161 3162 ba3680 4 API calls 3159->3162 3160->3143 3161->3146 3162->3143 3165 ba4463 SetWindowPos 3163->3165 3166 ba6ce0 4 API calls 3165->3166 3167 ba35d6 3166->3167 3167->3154 3167->3155 3168 ba6ef0 3169 ba6f2d 3168->3169 3170 ba6f02 3168->3170 3170->3169 3171 ba6f27 ?terminate@ 3170->3171 3171->3169 3172 ba7270 _except_handler4_common 3173 ba6bef _XcptFilter 2196 ba4ca0 GlobalAlloc 2197 ba6a60 2214 ba7155 2197->2214 2199 ba6a65 2200 ba6a76 GetStartupInfoW 2199->2200 2201 ba6a93 2200->2201 2202 ba6aa8 2201->2202 2203 ba6aaf Sleep 2201->2203 2204 ba6ac7 _amsg_exit 2202->2204 2206 ba6ad1 2202->2206 2203->2201 2204->2206 2205 ba6b13 _initterm 2208 ba6b2e __IsNonwritableInCurrentImage 2205->2208 2206->2205 2207 ba6af4 2206->2207 2206->2208 2209 ba6bd6 _ismbblead 2208->2209 2210 ba6c1e 2208->2210 2213 ba6bbe exit 2208->2213 2219 ba2bfb GetVersion 2208->2219 2209->2208 2210->2207 2211 ba6c27 _cexit 2210->2211 2211->2207 2213->2208 2215 ba717a 2214->2215 2216 ba717e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 2214->2216 2215->2216 2217 ba71e2 2215->2217 2218 ba71cd 2216->2218 2217->2199 2218->2217 2220 ba2c0f 2219->2220 2221 ba2c50 2219->2221 2220->2221 2223 ba2c13 GetModuleHandleW 2220->2223 2236 ba2caa memset memset memset 2221->2236 2223->2221 2225 ba2c22 GetProcAddress 2223->2225 2225->2221 2231 ba2c34 2225->2231 2226 ba2c8e 2227 ba2c9e 2226->2227 2228 ba2c97 CloseHandle 2226->2228 2227->2208 2228->2227 2231->2221 2234 ba2c89 2332 ba1f90 2234->2332 2349 ba468f FindResourceA SizeofResource 2236->2349 2239 ba2e30 2242 ba44b9 20 API calls 2239->2242 2240 ba2d2d CreateEventA SetEvent 2241 ba468f 7 API calls 2240->2241 2243 ba2d57 2241->2243 2268 ba2e4d 2242->2268 2244 ba2d5b 2243->2244 2246 ba2d8a 2243->2246 2247 ba2e1f 2243->2247 2386 ba44b9 2244->2386 2249 ba468f 7 API calls 2246->2249 2354 ba5c9e 2247->2354 2252 ba2d9f 2249->2252 2250 ba2c62 2250->2226 2278 ba2f1d 2250->2278 2252->2244 2254 ba2da3 CreateMutexA 2252->2254 2254->2247 2258 ba2dbd GetLastError 2254->2258 2255 ba2e3a 2256 ba2e52 FindResourceA 2255->2256 2257 ba2e43 2255->2257 2261 ba2e6e 2256->2261 2262 ba2e64 LoadResource 2256->2262 2415 ba2390 2257->2415 2258->2247 2260 ba2dca 2258->2260 2263 ba2dea 2260->2263 2264 ba2dd5 2260->2264 2267 ba2e8b 2261->2267 2261->2268 2262->2261 2266 ba44b9 20 API calls 2263->2266 2265 ba44b9 20 API calls 2264->2265 2269 ba2de8 2265->2269 2270 ba2dff 2266->2270 2430 ba36ee GetVersionExA 2267->2430 2381 ba6ce0 2268->2381 2272 ba2e04 CloseHandle 2269->2272 2270->2247 2270->2272 2272->2268 2273 ba2d6e 2273->2268 2279 ba2f3f 2278->2279 2280 ba2f6c 2278->2280 2281 ba2f5f 2279->2281 2554 ba51e5 2279->2554 2574 ba5164 2280->2574 2707 ba3a3f 2281->2707 2285 ba2f71 2315 ba3041 2285->2315 2589 ba55a0 2285->2589 2289 ba6ce0 4 API calls 2292 ba2c6b 2289->2292 2291 ba2f86 GetSystemDirectoryA 2293 ba658a CharPrevA 2291->2293 2319 ba52b6 2292->2319 2294 ba2fab LoadLibraryA 2293->2294 2295 ba2fc0 GetProcAddress 2294->2295 2296 ba2ff7 FreeLibrary 2294->2296 2295->2296 2297 ba2fd6 DecryptFileA 2295->2297 2298 ba3006 2296->2298 2299 ba3017 SetCurrentDirectoryA 2296->2299 2297->2296 2306 ba2ff0 2297->2306 2298->2299 2639 ba621e GetWindowsDirectoryA 2298->2639 2300 ba3026 2299->2300 2301 ba3054 2299->2301 2304 ba44b9 20 API calls 2300->2304 2312 ba3061 2301->2312 2650 ba3b26 2301->2650 2305 ba3037 2304->2305 2726 ba6285 GetLastError 2305->2726 2306->2296 2309 ba307a 2310 ba3098 2309->2310 2670 ba3ba2 2309->2670 2310->2315 2317 ba30af 2310->2317 2312->2309 2312->2315 2659 ba256d 2312->2659 2315->2289 2728 ba4169 2317->2728 2320 ba52d6 2319->2320 2324 ba5316 2319->2324 2322 ba5300 LocalFree LocalFree 2320->2322 2326 ba52eb SetFileAttributesA DeleteFileA 2320->2326 2321 ba538c 2323 ba6ce0 4 API calls 2321->2323 2322->2320 2322->2324 2328 ba2c72 2323->2328 2325 ba5374 2324->2325 2329 ba535e SetCurrentDirectoryA 2324->2329 2330 ba65e8 4 API calls 2324->2330 2325->2321 3061 ba1fe1 2325->3061 2326->2322 2328->2226 2328->2234 2331 ba2390 13 API calls 2329->2331 2330->2329 2331->2325 2333 ba1f9a 2332->2333 2335 ba1f9f 2332->2335 2334 ba1ea7 15 API calls 2333->2334 2334->2335 2336 ba1fc0 2335->2336 2337 ba44b9 20 API calls 2335->2337 2340 ba1fd9 2335->2340 2338 ba1ee2 GetCurrentProcess OpenProcessToken 2336->2338 2339 ba1fcf ExitWindowsEx 2336->2339 2336->2340 2337->2336 2342 ba1f23 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2338->2342 2344 ba1f0e 2338->2344 2339->2340 2340->2226 2343 ba1f6b ExitWindowsEx 2342->2343 2342->2344 2343->2344 2345 ba1f1f 2343->2345 2346 ba44b9 20 API calls 2344->2346 2347 ba6ce0 4 API calls 2345->2347 2346->2345 2348 ba1f8c 2347->2348 2348->2226 2350 ba2d1a 2349->2350 2351 ba46b6 2349->2351 2350->2239 2350->2240 2351->2350 2352 ba46be FindResourceA LoadResource LockResource 2351->2352 2352->2350 2353 ba46df memcpy_s FreeResource 2352->2353 2353->2350 2363 ba60fb 2354->2363 2379 ba5cc3 2354->2379 2355 ba6ce0 4 API calls 2357 ba2e2c 2355->2357 2356 ba5ced CharNextA 2356->2379 2357->2239 2357->2255 2358 ba5dec GetModuleFileNameA 2359 ba5e0a 2358->2359 2360 ba5e17 2358->2360 2472 ba66c8 2359->2472 2360->2363 2362 ba6218 2481 ba6e2a 2362->2481 2363->2355 2365 ba5dd0 2365->2358 2365->2363 2367 ba5e36 CharUpperA 2368 ba61d0 2367->2368 2367->2379 2369 ba44b9 20 API calls 2368->2369 2370 ba61e7 2369->2370 2371 ba61f0 CloseHandle 2370->2371 2372 ba61f7 ExitProcess 2370->2372 2371->2372 2373 ba5f9f CharUpperA 2373->2379 2374 ba6003 CharUpperA 2374->2379 2375 ba667f IsDBCSLeadByte CharNextA 2375->2379 2376 ba5f59 CompareStringA 2376->2379 2377 ba5edc CharUpperA 2377->2379 2378 ba60a2 CharUpperA 2378->2379 2379->2356 2379->2362 2379->2363 2379->2365 2379->2367 2379->2373 2379->2374 2379->2375 2379->2376 2379->2377 2379->2378 2477 ba658a 2379->2477 2382 ba6ceb 2381->2382 2383 ba6ce8 2381->2383 2488 ba6cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2382->2488 2383->2250 2385 ba6e26 2385->2250 2387 ba455a 2386->2387 2388 ba44fe LoadStringA 2386->2388 2392 ba6ce0 4 API calls 2387->2392 2389 ba4562 2388->2389 2390 ba4527 2388->2390 2396 ba45c9 2389->2396 2401 ba457e 2389->2401 2489 ba681f 2390->2489 2394 ba4689 2392->2394 2394->2273 2395 ba4536 MessageBoxA 2395->2387 2398 ba45cd LocalAlloc 2396->2398 2399 ba4607 LocalAlloc 2396->2399 2398->2387 2404 ba45f3 2398->2404 2399->2387 2411 ba45c4 2399->2411 2401->2401 2403 ba4596 LocalAlloc 2401->2403 2403->2387 2407 ba45af 2403->2407 2408 ba171e _vsnprintf 2404->2408 2405 ba462d MessageBeep 2406 ba681f 10 API calls 2405->2406 2409 ba463b 2406->2409 2506 ba171e 2407->2506 2408->2411 2412 ba4645 MessageBoxA LocalFree 2409->2412 2413 ba67c9 EnumResourceLanguagesA 2409->2413 2411->2405 2412->2387 2413->2412 2416 ba24cb 2415->2416 2419 ba23b9 2415->2419 2417 ba6ce0 4 API calls 2416->2417 2418 ba24dc 2417->2418 2418->2268 2419->2416 2420 ba23e9 FindFirstFileA 2419->2420 2420->2416 2428 ba2407 2420->2428 2421 ba2479 2425 ba2488 SetFileAttributesA DeleteFileA 2421->2425 2422 ba2421 lstrcmpA 2423 ba24a9 FindNextFileA 2422->2423 2424 ba2431 lstrcmpA 2422->2424 2426 ba24bd FindClose RemoveDirectoryA 2423->2426 2423->2428 2424->2423 2424->2428 2425->2423 2426->2416 2427 ba658a CharPrevA 2427->2428 2428->2421 2428->2422 2428->2423 2428->2427 2429 ba2390 5 API calls 2428->2429 2429->2428 2435 ba3737 2430->2435 2437 ba372d 2430->2437 2431 ba44b9 20 API calls 2432 ba39fc 2431->2432 2433 ba6ce0 4 API calls 2432->2433 2434 ba2e92 2433->2434 2434->2268 2434->2273 2445 ba18a3 2434->2445 2435->2432 2435->2437 2438 ba38a4 2435->2438 2516 ba28e8 2435->2516 2437->2431 2437->2432 2438->2432 2438->2437 2439 ba39c1 MessageBeep 2438->2439 2440 ba681f 10 API calls 2439->2440 2441 ba39ce 2440->2441 2442 ba39d8 MessageBoxA 2441->2442 2443 ba67c9 EnumResourceLanguagesA 2441->2443 2442->2432 2443->2442 2446 ba19b8 2445->2446 2447 ba18d5 2445->2447 2449 ba6ce0 4 API calls 2446->2449 2545 ba17ee LoadLibraryA 2447->2545 2451 ba19d5 2449->2451 2451->2273 2465 ba6517 FindResourceA 2451->2465 2452 ba18e5 GetCurrentProcess OpenProcessToken 2452->2446 2453 ba1900 GetTokenInformation 2452->2453 2454 ba19aa CloseHandle 2453->2454 2455 ba1918 GetLastError 2453->2455 2454->2446 2455->2454 2456 ba1927 LocalAlloc 2455->2456 2457 ba1938 GetTokenInformation 2456->2457 2458 ba19a9 2456->2458 2459 ba194e AllocateAndInitializeSid 2457->2459 2460 ba19a2 LocalFree 2457->2460 2458->2454 2459->2460 2464 ba196e 2459->2464 2460->2458 2461 ba1999 FreeSid 2461->2460 2462 ba1975 EqualSid 2463 ba198c 2462->2463 2462->2464 2463->2461 2464->2461 2464->2462 2464->2463 2466 ba656b 2465->2466 2467 ba6536 LoadResource 2465->2467 2469 ba44b9 20 API calls 2466->2469 2467->2466 2468 ba6544 DialogBoxIndirectParamA FreeResource 2467->2468 2468->2466 2470 ba657c 2468->2470 2469->2470 2470->2273 2475 ba66d5 2472->2475 2473 ba66f3 2473->2360 2475->2473 2476 ba66e5 CharNextA 2475->2476 2484 ba6648 2475->2484 2476->2475 2478 ba659b 2477->2478 2479 ba65b8 CharPrevA 2478->2479 2480 ba65ab 2478->2480 2479->2480 2480->2379 2487 ba6cf0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2481->2487 2483 ba621d 2485 ba665d IsDBCSLeadByte 2484->2485 2486 ba6668 2484->2486 2485->2486 2486->2475 2487->2483 2488->2385 2490 ba6857 GetVersionExA 2489->2490 2499 ba691a 2489->2499 2491 ba687c 2490->2491 2490->2499 2494 ba68a5 GetSystemMetrics 2491->2494 2491->2499 2492 ba6ce0 4 API calls 2493 ba452c 2492->2493 2493->2395 2500 ba67c9 2493->2500 2495 ba68b5 RegOpenKeyExA 2494->2495 2494->2499 2496 ba68d6 RegQueryValueExA RegCloseKey 2495->2496 2495->2499 2497 ba690c 2496->2497 2496->2499 2510 ba66f9 2497->2510 2499->2492 2501 ba67e2 2500->2501 2505 ba6803 2500->2505 2514 ba6793 EnumResourceLanguagesA 2501->2514 2503 ba67f5 2503->2505 2515 ba6793 EnumResourceLanguagesA 2503->2515 2505->2395 2507 ba172d 2506->2507 2508 ba173d _vsnprintf 2507->2508 2509 ba175d 2507->2509 2508->2509 2509->2411 2511 ba670f 2510->2511 2512 ba6740 CharNextA 2511->2512 2513 ba674b 2511->2513 2512->2511 2513->2499 2514->2503 2515->2505 2517 ba2a62 2516->2517 2521 ba290d 2516->2521 2518 ba2a6e GlobalFree 2517->2518 2519 ba2a75 2517->2519 2518->2519 2519->2438 2521->2517 2522 ba2955 GlobalAlloc 2521->2522 2524 ba2a20 GlobalUnlock 2521->2524 2525 ba2a80 GlobalUnlock 2521->2525 2526 ba2773 2521->2526 2522->2517 2523 ba2968 GlobalLock 2522->2523 2523->2517 2523->2521 2524->2521 2525->2517 2527 ba28b2 2526->2527 2528 ba27a3 CharUpperA CharNextA CharNextA 2526->2528 2530 ba28b7 GetSystemDirectoryA 2527->2530 2529 ba27db 2528->2529 2528->2530 2531 ba28a8 GetWindowsDirectoryA 2529->2531 2534 ba27e3 2529->2534 2532 ba28bf 2530->2532 2531->2532 2533 ba28d2 2532->2533 2535 ba658a CharPrevA 2532->2535 2536 ba6ce0 4 API calls 2533->2536 2537 ba658a CharPrevA 2534->2537 2535->2533 2538 ba28e2 2536->2538 2539 ba2810 RegOpenKeyExA 2537->2539 2538->2521 2539->2532 2540 ba2837 RegQueryValueExA 2539->2540 2541 ba289a RegCloseKey 2540->2541 2542 ba285c 2540->2542 2541->2532 2543 ba2867 ExpandEnvironmentStringsA 2542->2543 2544 ba287a 2542->2544 2543->2544 2544->2541 2546 ba1890 2545->2546 2547 ba1826 GetProcAddress 2545->2547 2548 ba6ce0 4 API calls 2546->2548 2549 ba1889 FreeLibrary 2547->2549 2550 ba1839 AllocateAndInitializeSid 2547->2550 2551 ba189f 2548->2551 2549->2546 2550->2549 2552 ba185f FreeSid 2550->2552 2551->2446 2551->2452 2552->2549 2555 ba468f 7 API calls 2554->2555 2556 ba51f9 LocalAlloc 2555->2556 2557 ba522d 2556->2557 2558 ba520d 2556->2558 2559 ba468f 7 API calls 2557->2559 2560 ba44b9 20 API calls 2558->2560 2561 ba523a 2559->2561 2562 ba521e 2560->2562 2563 ba523e 2561->2563 2564 ba5262 lstrcmpA 2561->2564 2565 ba6285 GetLastError 2562->2565 2566 ba44b9 20 API calls 2563->2566 2567 ba527e 2564->2567 2568 ba5272 LocalFree 2564->2568 2573 ba5223 2565->2573 2569 ba524f LocalFree 2566->2569 2571 ba44b9 20 API calls 2567->2571 2570 ba2f4d 2568->2570 2569->2570 2570->2280 2570->2281 2570->2315 2572 ba5290 LocalFree 2571->2572 2572->2573 2573->2570 2575 ba468f 7 API calls 2574->2575 2576 ba5175 2575->2576 2577 ba517a 2576->2577 2578 ba51af 2576->2578 2579 ba44b9 20 API calls 2577->2579 2580 ba468f 7 API calls 2578->2580 2581 ba518d 2579->2581 2582 ba51c0 2580->2582 2581->2285 2741 ba6298 2582->2741 2586 ba51ce 2588 ba44b9 20 API calls 2586->2588 2587 ba51e1 2587->2285 2588->2581 2590 ba468f 7 API calls 2589->2590 2591 ba55c7 LocalAlloc 2590->2591 2592 ba55db 2591->2592 2593 ba55fd 2591->2593 2594 ba44b9 20 API calls 2592->2594 2595 ba468f 7 API calls 2593->2595 2596 ba55ec 2594->2596 2597 ba560a 2595->2597 2598 ba6285 GetLastError 2596->2598 2599 ba560e 2597->2599 2600 ba5632 lstrcmpA 2597->2600 2601 ba55f1 2598->2601 2602 ba44b9 20 API calls 2599->2602 2603 ba564b LocalFree 2600->2603 2604 ba5645 2600->2604 2605 ba55f6 2601->2605 2606 ba561f LocalFree 2602->2606 2607 ba565b 2603->2607 2608 ba5696 2603->2608 2604->2603 2611 ba6ce0 4 API calls 2605->2611 2606->2605 2613 ba5467 49 API calls 2607->2613 2609 ba589f 2608->2609 2612 ba56ae GetTempPathA 2608->2612 2610 ba6517 24 API calls 2609->2610 2610->2605 2614 ba2f7e 2611->2614 2615 ba56c3 2612->2615 2619 ba56eb 2612->2619 2616 ba5678 2613->2616 2614->2291 2614->2315 2753 ba5467 2615->2753 2616->2605 2618 ba5680 2616->2618 2621 ba44b9 20 API calls 2618->2621 2619->2605 2622 ba586c GetWindowsDirectoryA 2619->2622 2623 ba5717 GetDriveTypeA 2619->2623 2621->2601 2787 ba597d GetCurrentDirectoryA SetCurrentDirectoryA 2622->2787 2624 ba5730 GetFileAttributesA 2623->2624 2638 ba572b 2623->2638 2624->2638 2628 ba597d 34 API calls 2628->2638 2629 ba5467 49 API calls 2629->2619 2630 ba2630 21 API calls 2630->2638 2632 ba57c1 GetWindowsDirectoryA 2632->2638 2633 ba658a CharPrevA 2634 ba57e8 GetFileAttributesA 2633->2634 2635 ba57fa CreateDirectoryA 2634->2635 2634->2638 2635->2638 2636 ba5827 SetFileAttributesA 2636->2638 2637 ba5467 49 API calls 2637->2638 2638->2605 2638->2622 2638->2623 2638->2624 2638->2628 2638->2630 2638->2632 2638->2633 2638->2636 2638->2637 2783 ba6952 2638->2783 2640 ba6268 2639->2640 2641 ba6249 2639->2641 2643 ba597d 34 API calls 2640->2643 2642 ba44b9 20 API calls 2641->2642 2644 ba625a 2642->2644 2645 ba6277 2643->2645 2646 ba6285 GetLastError 2644->2646 2647 ba6ce0 4 API calls 2645->2647 2649 ba625f 2646->2649 2648 ba3013 2647->2648 2648->2299 2648->2315 2649->2645 2651 ba3b2d 2650->2651 2651->2651 2652 ba3b72 2651->2652 2653 ba3b53 2651->2653 2854 ba4fe0 2652->2854 2655 ba6517 24 API calls 2653->2655 2656 ba3b70 2655->2656 2657 ba6298 10 API calls 2656->2657 2658 ba3b7b 2656->2658 2657->2658 2658->2312 2660 ba2622 2659->2660 2661 ba2583 2659->2661 2908 ba24e0 GetWindowsDirectoryA 2660->2908 2663 ba258b 2661->2663 2664 ba25e8 RegOpenKeyExA 2661->2664 2666 ba25e3 2663->2666 2668 ba259b RegOpenKeyExA 2663->2668 2665 ba2609 RegQueryInfoKeyA 2664->2665 2664->2666 2667 ba25d1 RegCloseKey 2665->2667 2666->2309 2667->2666 2668->2666 2669 ba25bc RegQueryValueExA 2668->2669 2669->2667 2671 ba3bdb 2670->2671 2679 ba3bec 2670->2679 2672 ba468f 7 API calls 2671->2672 2672->2679 2673 ba3c03 memset 2673->2679 2674 ba468f 7 API calls 2674->2679 2675 ba3d13 2676 ba44b9 20 API calls 2675->2676 2703 ba3d26 2676->2703 2678 ba3f4d 2680 ba6ce0 4 API calls 2678->2680 2679->2673 2679->2674 2679->2675 2679->2678 2682 ba3d7b CompareStringA 2679->2682 2685 ba3fab 2679->2685 2687 ba3f1e LocalFree 2679->2687 2688 ba3f46 LocalFree 2679->2688 2692 ba3fd7 2679->2692 2693 ba3cc7 CompareStringA 2679->2693 2704 ba3e10 2679->2704 2916 ba1ae8 2679->2916 2956 ba202a memset memset RegCreateKeyExA 2679->2956 2982 ba3fef 2679->2982 2681 ba3f60 2680->2681 2681->2310 2682->2679 2682->2692 2686 ba44b9 20 API calls 2685->2686 2690 ba3fbe LocalFree 2686->2690 2687->2679 2687->2692 2688->2678 2690->2678 2692->2678 3006 ba2267 2692->3006 2693->2679 2694 ba3e1f GetProcAddress 2696 ba3f64 2694->2696 2694->2704 2695 ba3f92 2697 ba44b9 20 API calls 2695->2697 2698 ba44b9 20 API calls 2696->2698 2699 ba3fa9 2697->2699 2700 ba3f75 FreeLibrary 2698->2700 2701 ba3f7c LocalFree 2699->2701 2700->2701 2702 ba6285 GetLastError 2701->2702 2702->2703 2703->2678 2704->2694 2704->2695 2705 ba3eff FreeLibrary 2704->2705 2706 ba3f40 FreeLibrary 2704->2706 2996 ba6495 2704->2996 2705->2687 2706->2688 2708 ba468f 7 API calls 2707->2708 2709 ba3a55 LocalAlloc 2708->2709 2710 ba3a8e 2709->2710 2711 ba3a6c 2709->2711 2712 ba468f 7 API calls 2710->2712 2713 ba44b9 20 API calls 2711->2713 2714 ba3a98 2712->2714 2715 ba3a7d 2713->2715 2716 ba3a9c 2714->2716 2717 ba3ac5 lstrcmpA 2714->2717 2718 ba6285 GetLastError 2715->2718 2719 ba44b9 20 API calls 2716->2719 2720 ba3ada 2717->2720 2721 ba3b0d LocalFree 2717->2721 2724 ba2f64 2718->2724 2722 ba3aad LocalFree 2719->2722 2723 ba6517 24 API calls 2720->2723 2721->2724 2722->2724 2725 ba3aec LocalFree 2723->2725 2724->2280 2724->2315 2725->2724 2727 ba303c 2726->2727 2727->2315 2729 ba468f 7 API calls 2728->2729 2730 ba417d LocalAlloc 2729->2730 2731 ba41a8 2730->2731 2732 ba4195 2730->2732 2734 ba468f 7 API calls 2731->2734 2733 ba44b9 20 API calls 2732->2733 2735 ba41a6 2733->2735 2736 ba41b5 2734->2736 2735->2315 2737 ba41b9 2736->2737 2738 ba41c5 lstrcmpA 2736->2738 2740 ba44b9 20 API calls 2737->2740 2738->2737 2739 ba41e6 LocalFree 2738->2739 2739->2735 2740->2739 2742 ba171e _vsnprintf 2741->2742 2743 ba62c9 FindResourceA 2742->2743 2745 ba62cb LoadResource LockResource 2743->2745 2746 ba6353 2743->2746 2745->2746 2749 ba62e0 2745->2749 2747 ba6ce0 4 API calls 2746->2747 2748 ba51ca 2747->2748 2748->2586 2748->2587 2750 ba631b FreeResource 2749->2750 2751 ba6355 FreeResource 2749->2751 2752 ba171e _vsnprintf 2750->2752 2751->2746 2752->2743 2754 ba548a 2753->2754 2772 ba551a 2753->2772 2814 ba53a1 2754->2814 2757 ba5581 2759 ba6ce0 4 API calls 2757->2759 2765 ba559a 2759->2765 2760 ba553b CreateDirectoryA 2766 ba5577 2760->2766 2767 ba5547 2760->2767 2761 ba554d 2761->2757 2768 ba597d 34 API calls 2761->2768 2762 ba5495 2762->2757 2763 ba550c 2762->2763 2764 ba54c2 GetSystemInfo 2762->2764 2769 ba658a CharPrevA 2763->2769 2775 ba54da 2764->2775 2765->2605 2777 ba2630 GetWindowsDirectoryA 2765->2777 2770 ba6285 GetLastError 2766->2770 2767->2761 2771 ba555c 2768->2771 2769->2772 2773 ba557c 2770->2773 2771->2757 2776 ba5568 RemoveDirectoryA 2771->2776 2825 ba58c8 2772->2825 2773->2757 2774 ba658a CharPrevA 2774->2763 2775->2763 2775->2774 2776->2757 2778 ba265e 2777->2778 2779 ba266f 2777->2779 2780 ba44b9 20 API calls 2778->2780 2781 ba6ce0 4 API calls 2779->2781 2780->2779 2782 ba2687 2781->2782 2782->2619 2782->2629 2784 ba696e GetDiskFreeSpaceA 2783->2784 2785 ba69a1 2783->2785 2784->2785 2786 ba6989 MulDiv 2784->2786 2785->2638 2786->2785 2788 ba59bb 2787->2788 2789 ba59dd GetDiskFreeSpaceA 2787->2789 2790 ba44b9 20 API calls 2788->2790 2791 ba5ba1 memset 2789->2791 2792 ba5a21 MulDiv 2789->2792 2793 ba59cc 2790->2793 2794 ba6285 GetLastError 2791->2794 2792->2791 2795 ba5a50 GetVolumeInformationA 2792->2795 2796 ba6285 GetLastError 2793->2796 2797 ba5bbc GetLastError FormatMessageA 2794->2797 2798 ba5a6e memset 2795->2798 2799 ba5ab5 SetCurrentDirectoryA 2795->2799 2811 ba59d1 2796->2811 2800 ba5be3 2797->2800 2801 ba6285 GetLastError 2798->2801 2808 ba5acc 2799->2808 2803 ba44b9 20 API calls 2800->2803 2804 ba5a89 GetLastError FormatMessageA 2801->2804 2802 ba5b94 2806 ba6ce0 4 API calls 2802->2806 2805 ba5bf5 SetCurrentDirectoryA 2803->2805 2804->2800 2805->2802 2807 ba5c11 2806->2807 2807->2619 2809 ba5b0a 2808->2809 2812 ba5b20 2808->2812 2810 ba44b9 20 API calls 2809->2810 2810->2811 2811->2802 2812->2802 2837 ba268b 2812->2837 2816 ba53bf 2814->2816 2815 ba171e _vsnprintf 2815->2816 2816->2815 2817 ba658a CharPrevA 2816->2817 2820 ba5415 GetTempFileNameA 2816->2820 2818 ba53fa RemoveDirectoryA GetFileAttributesA 2817->2818 2818->2816 2819 ba544f CreateDirectoryA 2818->2819 2819->2820 2821 ba543a 2819->2821 2820->2821 2822 ba5429 DeleteFileA CreateDirectoryA 2820->2822 2823 ba6ce0 4 API calls 2821->2823 2822->2821 2824 ba5449 2823->2824 2824->2762 2826 ba58d8 2825->2826 2826->2826 2827 ba58df LocalAlloc 2826->2827 2828 ba58f3 2827->2828 2830 ba5919 2827->2830 2829 ba44b9 20 API calls 2828->2829 2831 ba5906 2829->2831 2833 ba658a CharPrevA 2830->2833 2832 ba6285 GetLastError 2831->2832 2834 ba5534 2831->2834 2832->2834 2835 ba5931 CreateFileA LocalFree 2833->2835 2834->2760 2834->2761 2835->2831 2836 ba595b CloseHandle GetFileAttributesA 2835->2836 2836->2831 2838 ba26b9 2837->2838 2839 ba26e5 2837->2839 2840 ba171e _vsnprintf 2838->2840 2841 ba26ea 2839->2841 2842 ba271f 2839->2842 2843 ba26cc 2840->2843 2844 ba171e _vsnprintf 2841->2844 2845 ba26e3 2842->2845 2849 ba171e _vsnprintf 2842->2849 2846 ba44b9 20 API calls 2843->2846 2848 ba26fd 2844->2848 2847 ba6ce0 4 API calls 2845->2847 2846->2845 2850 ba276d 2847->2850 2851 ba44b9 20 API calls 2848->2851 2852 ba2735 2849->2852 2850->2802 2851->2845 2853 ba44b9 20 API calls 2852->2853 2853->2845 2855 ba468f 7 API calls 2854->2855 2856 ba4ff5 FindResourceA LoadResource LockResource 2855->2856 2857 ba5020 2856->2857 2873 ba515f 2856->2873 2858 ba5029 GetDlgItem ShowWindow GetDlgItem ShowWindow 2857->2858 2859 ba5057 2857->2859 2858->2859 2876 ba4efd 2859->2876 2862 ba507c 2866 ba50e8 2862->2866 2871 ba5106 2862->2871 2863 ba5060 2864 ba44b9 20 API calls 2863->2864 2865 ba5075 2864->2865 2865->2871 2867 ba44b9 20 API calls 2866->2867 2867->2865 2868 ba511d 2870 ba513a 2868->2870 2872 ba5129 2868->2872 2869 ba5110 FreeResource 2869->2868 2870->2873 2875 ba514c SendMessageA 2870->2875 2871->2868 2871->2869 2874 ba44b9 20 API calls 2872->2874 2873->2656 2874->2870 2875->2873 2877 ba4f4a 2876->2877 2883 ba4fa1 2877->2883 2884 ba4980 2877->2884 2879 ba6ce0 4 API calls 2880 ba4fc6 2879->2880 2880->2862 2880->2863 2883->2879 2885 ba4990 2884->2885 2886 ba49c2 lstrcmpA 2885->2886 2887 ba49a5 2885->2887 2889 ba4a0e 2886->2889 2890 ba49ba 2886->2890 2888 ba44b9 20 API calls 2887->2888 2888->2890 2889->2890 2895 ba487a 2889->2895 2890->2883 2892 ba4b60 2890->2892 2893 ba4b92 FindCloseChangeNotification 2892->2893 2894 ba4b76 2892->2894 2893->2894 2894->2883 2896 ba48a2 CreateFileA 2895->2896 2898 ba4908 2896->2898 2899 ba48e9 2896->2899 2898->2890 2899->2898 2900 ba48ee 2899->2900 2903 ba490c 2900->2903 2904 ba48f5 CreateFileA 2903->2904 2905 ba4917 2903->2905 2904->2898 2905->2904 2906 ba4962 CharNextA 2905->2906 2907 ba4953 CreateDirectoryA 2905->2907 2906->2905 2907->2906 2909 ba255b 2908->2909 2910 ba2510 2908->2910 2912 ba6ce0 4 API calls 2909->2912 2911 ba658a CharPrevA 2910->2911 2913 ba2522 WritePrivateProfileStringA _lopen 2911->2913 2914 ba2569 2912->2914 2913->2909 2915 ba2548 _llseek _lclose 2913->2915 2914->2666 2915->2909 2917 ba1b25 2916->2917 3020 ba1a84 2917->3020 2919 ba1b57 2920 ba658a CharPrevA 2919->2920 2922 ba1b8c 2919->2922 2920->2922 2921 ba66c8 2 API calls 2923 ba1bd1 2921->2923 2922->2921 2924 ba1bd9 CompareStringA 2923->2924 2925 ba1d73 2923->2925 2924->2925 2926 ba1bf7 GetFileAttributesA 2924->2926 2927 ba66c8 2 API calls 2925->2927 2928 ba1c0d 2926->2928 2929 ba1d53 2926->2929 2930 ba1d7d 2927->2930 2928->2929 2935 ba1a84 2 API calls 2928->2935 2933 ba44b9 20 API calls 2929->2933 2931 ba1df8 LocalAlloc 2930->2931 2932 ba1d81 CompareStringA 2930->2932 2931->2929 2934 ba1e0b GetFileAttributesA 2931->2934 2932->2931 2941 ba1d9b 2932->2941 2953 ba1cc2 2933->2953 2947 ba1e1d 2934->2947 2955 ba1e45 2934->2955 2936 ba1c31 2935->2936 2938 ba1c50 LocalAlloc 2936->2938 2942 ba1a84 2 API calls 2936->2942 2937 ba1e89 2940 ba6ce0 4 API calls 2937->2940 2938->2929 2939 ba1c67 GetPrivateProfileIntA GetPrivateProfileStringA 2938->2939 2949 ba1cf8 2939->2949 2939->2953 2946 ba1ea1 2940->2946 2941->2941 2943 ba1dbe LocalAlloc 2941->2943 2942->2938 2943->2929 2948 ba1de1 2943->2948 2946->2679 2947->2955 2950 ba171e _vsnprintf 2948->2950 2951 ba1d09 GetShortPathNameA 2949->2951 2952 ba1d23 2949->2952 2950->2953 2951->2952 2954 ba171e _vsnprintf 2952->2954 2953->2937 2954->2953 3026 ba2aac 2955->3026 2957 ba209a 2956->2957 2958 ba2256 2956->2958 2960 ba171e _vsnprintf 2957->2960 2963 ba20dc 2957->2963 2959 ba6ce0 4 API calls 2958->2959 2961 ba2263 2959->2961 2962 ba20af RegQueryValueExA 2960->2962 2961->2679 2962->2957 2962->2963 2964 ba20fb GetSystemDirectoryA 2963->2964 2965 ba20e4 RegCloseKey 2963->2965 2966 ba658a CharPrevA 2964->2966 2965->2958 2967 ba211b LoadLibraryA 2966->2967 2968 ba2179 GetModuleFileNameA 2967->2968 2969 ba212e GetProcAddress FreeLibrary 2967->2969 2971 ba21de RegCloseKey 2968->2971 2974 ba2177 2968->2974 2969->2968 2970 ba214e GetSystemDirectoryA 2969->2970 2972 ba2165 2970->2972 2970->2974 2971->2958 2973 ba658a CharPrevA 2972->2973 2973->2974 2974->2974 2975 ba21b7 LocalAlloc 2974->2975 2976 ba21cd 2975->2976 2977 ba21ec 2975->2977 2978 ba44b9 20 API calls 2976->2978 2979 ba171e _vsnprintf 2977->2979 2978->2971 2980 ba2218 RegSetValueExA RegCloseKey LocalFree 2979->2980 2980->2958 2983 ba4106 2982->2983 2984 ba4016 CreateProcessA 2982->2984 2987 ba6ce0 4 API calls 2983->2987 2985 ba4041 WaitForSingleObject GetExitCodeProcess 2984->2985 2986 ba40c4 2984->2986 2989 ba4070 2985->2989 2988 ba6285 GetLastError 2986->2988 2990 ba4117 2987->2990 2991 ba40c9 GetLastError FormatMessageA 2988->2991 3053 ba411b 2989->3053 2990->2679 2994 ba44b9 20 API calls 2991->2994 2993 ba4096 CloseHandle CloseHandle 2993->2983 2995 ba40ba 2993->2995 2994->2983 2995->2983 2997 ba64c2 2996->2997 2998 ba658a CharPrevA 2997->2998 2999 ba64d8 GetFileAttributesA 2998->2999 3000 ba64ea 2999->3000 3001 ba6501 LoadLibraryA 2999->3001 3000->3001 3002 ba64ee LoadLibraryExA 3000->3002 3003 ba6508 3001->3003 3002->3003 3004 ba6ce0 4 API calls 3003->3004 3005 ba6513 3004->3005 3005->2704 3007 ba2289 RegOpenKeyExA 3006->3007 3008 ba2381 3006->3008 3007->3008 3010 ba22b1 RegQueryValueExA 3007->3010 3009 ba6ce0 4 API calls 3008->3009 3011 ba238c 3009->3011 3012 ba22e6 memset GetSystemDirectoryA 3010->3012 3013 ba2374 RegCloseKey 3010->3013 3011->2678 3014 ba230f 3012->3014 3015 ba2321 3012->3015 3013->3008 3016 ba658a CharPrevA 3014->3016 3017 ba171e _vsnprintf 3015->3017 3016->3015 3018 ba233f RegSetValueExA 3017->3018 3018->3013 3021 ba1a9a 3020->3021 3023 ba1aba 3021->3023 3025 ba1aaf 3021->3025 3039 ba667f 3021->3039 3023->2919 3024 ba667f 2 API calls 3024->3025 3025->3023 3025->3024 3027 ba2be6 3026->3027 3028 ba2ad4 GetModuleFileNameA 3026->3028 3029 ba6ce0 4 API calls 3027->3029 3037 ba2b02 3028->3037 3031 ba2bf5 3029->3031 3030 ba2af1 IsDBCSLeadByte 3030->3037 3031->2937 3032 ba2bca CharNextA 3034 ba2bd3 CharNextA 3032->3034 3033 ba2b11 CharNextA CharUpperA 3035 ba2b8d CharUpperA 3033->3035 3033->3037 3034->3037 3035->3037 3037->3027 3037->3030 3037->3032 3037->3033 3037->3034 3037->3037 3038 ba2b43 CharPrevA 3037->3038 3044 ba65e8 3037->3044 3038->3037 3042 ba6689 3039->3042 3040 ba6648 IsDBCSLeadByte 3040->3042 3041 ba66a5 3041->3021 3042->3040 3042->3041 3043 ba6697 CharNextA 3042->3043 3043->3042 3045 ba65f4 3044->3045 3045->3045 3046 ba65fb CharPrevA 3045->3046 3047 ba6611 CharPrevA 3046->3047 3048 ba660b 3047->3048 3049 ba661e 3047->3049 3048->3047 3048->3049 3050 ba663d 3049->3050 3051 ba6627 CharPrevA 3049->3051 3052 ba6634 CharNextA 3049->3052 3050->3037 3051->3050 3051->3052 3052->3050 3054 ba4132 3053->3054 3056 ba412a 3053->3056 3057 ba1ea7 3054->3057 3056->2993 3058 ba1eba 3057->3058 3059 ba1ed3 3057->3059 3060 ba256d 15 API calls 3058->3060 3059->3056 3060->3059 3062 ba1ff0 RegOpenKeyExA 3061->3062 3063 ba2026 3061->3063 3062->3063 3064 ba200f RegDeleteValueA RegCloseKey 3062->3064 3063->2321 3064->3063 3174 ba19e0 3175 ba1a03 3174->3175 3176 ba1a24 GetDesktopWindow 3174->3176 3177 ba1a20 3175->3177 3179 ba1a16 EndDialog 3175->3179 3178 ba43d0 11 API calls 3176->3178 3181 ba6ce0 4 API calls 3177->3181 3180 ba1a33 LoadStringA SetDlgItemTextA MessageBeep 3178->3180 3179->3177 3180->3177 3182 ba1a7e 3181->3182 3183 ba6a20 __getmainargs 3065 ba4cd0 3066 ba4cf4 3065->3066 3068 ba4d0b 3065->3068 3067 ba4d02 3066->3067 3069 ba4b60 FindCloseChangeNotification 3066->3069 3070 ba6ce0 4 API calls 3067->3070 3068->3067 3071 ba4dcb 3068->3071 3074 ba4d25 3068->3074 3069->3067 3072 ba4e95 3070->3072 3073 ba4dd4 SetDlgItemTextA 3071->3073 3075 ba4de3 3071->3075 3073->3075 3074->3067 3088 ba4c37 3074->3088 3075->3067 3093 ba476d 3075->3093 3079 ba4e38 3079->3067 3081 ba4980 25 API calls 3079->3081 3080 ba4b60 FindCloseChangeNotification 3082 ba4d99 SetFileAttributesA 3080->3082 3083 ba4e56 3081->3083 3082->3067 3083->3067 3084 ba4e64 3083->3084 3102 ba47e0 LocalAlloc 3084->3102 3087 ba4e6f 3087->3067 3089 ba4c4c DosDateTimeToFileTime 3088->3089 3091 ba4c88 3088->3091 3090 ba4c5e LocalFileTimeToFileTime 3089->3090 3089->3091 3090->3091 3092 ba4c70 SetFileTime 3090->3092 3091->3067 3091->3080 3092->3091 3111 ba66ae GetFileAttributesA 3093->3111 3096 ba477b 3096->3079 3097 ba47cc SetFileAttributesA 3098 ba47db 3097->3098 3098->3079 3099 ba6517 24 API calls 3100 ba47b1 3099->3100 3100->3097 3100->3098 3101 ba47c2 3100->3101 3101->3097 3103 ba480f LocalAlloc 3102->3103 3104 ba47f6 3102->3104 3107 ba480b 3103->3107 3108 ba4831 3103->3108 3105 ba44b9 20 API calls 3104->3105 3105->3107 3107->3087 3109 ba44b9 20 API calls 3108->3109 3110 ba4846 LocalFree 3109->3110 3110->3107 3112 ba4777 3111->3112 3112->3096 3112->3097 3112->3099 3113 ba4ad0 3121 ba3680 3113->3121 3116 ba4ae9 3117 ba4aee WriteFile 3118 ba4b0f 3117->3118 3119 ba4b14 3117->3119 3119->3118 3120 ba4b3b SendDlgItemMessageA 3119->3120 3120->3118 3122 ba3691 MsgWaitForMultipleObjects 3121->3122 3123 ba36e8 3122->3123 3124 ba36a9 PeekMessageA 3122->3124 3123->3116 3123->3117 3124->3122 3125 ba36bc 3124->3125 3125->3122 3125->3123 3126 ba36c7 DispatchMessageA 3125->3126 3127 ba36d1 PeekMessageA 3125->3127 3126->3127 3127->3125 3184 ba3210 3185 ba328e EndDialog 3184->3185 3186 ba3227 3184->3186 3201 ba3239 3185->3201 3187 ba33e2 GetDesktopWindow 3186->3187 3188 ba3235 3186->3188 3190 ba43d0 11 API calls 3187->3190 3192 ba324c 3188->3192 3193 ba32dd GetDlgItemTextA 3188->3193 3188->3201 3191 ba33f1 SetWindowTextA SendDlgItemMessageA 3190->3191 3194 ba341f GetDlgItem EnableWindow 3191->3194 3191->3201 3195 ba3251 3192->3195 3196 ba32c5 EndDialog 3192->3196 3202 ba32fc 3193->3202 3217 ba3366 3193->3217 3194->3201 3197 ba325c LoadStringA 3195->3197 3195->3201 3196->3201 3199 ba327b 3197->3199 3200 ba3294 3197->3200 3198 ba44b9 20 API calls 3198->3201 3205 ba44b9 20 API calls 3199->3205 3222 ba4224 LoadLibraryA 3200->3222 3204 ba3331 GetFileAttributesA 3202->3204 3202->3217 3208 ba333f 3204->3208 3209 ba337c 3204->3209 3205->3185 3207 ba32a5 SetDlgItemTextA 3207->3199 3207->3201 3211 ba44b9 20 API calls 3208->3211 3210 ba658a CharPrevA 3209->3210 3212 ba338d 3210->3212 3213 ba3351 3211->3213 3214 ba58c8 27 API calls 3212->3214 3213->3201 3215 ba335a CreateDirectoryA 3213->3215 3216 ba3394 3214->3216 3215->3209 3215->3217 3216->3217 3218 ba33a4 3216->3218 3217->3198 3219 ba33c7 EndDialog 3218->3219 3220 ba597d 34 API calls 3218->3220 3219->3201 3221 ba33c3 3220->3221 3221->3201 3221->3219 3223 ba43b2 3222->3223 3224 ba4246 GetProcAddress 3222->3224 3228 ba44b9 20 API calls 3223->3228 3225 ba425d GetProcAddress 3224->3225 3226 ba43a4 FreeLibrary 3224->3226 3225->3226 3227 ba4274 GetProcAddress 3225->3227 3226->3223 3227->3226 3229 ba428b 3227->3229 3230 ba329d 3228->3230 3231 ba4295 GetTempPathA 3229->3231 3236 ba42e1 3229->3236 3230->3201 3230->3207 3232 ba42ad 3231->3232 3232->3232 3233 ba42b4 CharPrevA 3232->3233 3234 ba42d0 CharPrevA 3233->3234 3233->3236 3234->3236 3235 ba4390 FreeLibrary 3235->3230 3236->3235 3237 ba4a50 3238 ba4a9f ReadFile 3237->3238 3239 ba4a66 3237->3239 3240 ba4abb 3238->3240 3239->3240 3241 ba4a82 memcpy 3239->3241 3241->3240 3242 ba3450 3243 ba345e 3242->3243 3244 ba34d3 EndDialog 3242->3244 3245 ba349a GetDesktopWindow 3243->3245 3250 ba3465 3243->3250 3246 ba346a 3244->3246 3247 ba43d0 11 API calls 3245->3247 3248 ba34ac SetWindowTextA SetDlgItemTextA SetForegroundWindow 3247->3248 3248->3246 3249 ba348c EndDialog 3249->3246 3250->3246 3250->3249 3251 ba6c03 3252 ba6c1e 3251->3252 3253 ba6c17 _exit 3251->3253 3254 ba6c27 _cexit 3252->3254 3255 ba6c32 3252->3255 3253->3252 3254->3255 3128 ba4cc0 GlobalFree 3256 ba4bc0 3257 ba4bd7 3256->3257 3258 ba4c05 3256->3258 3258->3257 3259 ba4c1b SetFilePointer 3258->3259 3259->3257 3260 ba30c0 3261 ba30de CallWindowProcA 3260->3261 3262 ba30ce 3260->3262 3263 ba30da 3261->3263 3262->3261 3262->3263 3264 ba63c0 3265 ba6407 3264->3265 3266 ba658a CharPrevA 3265->3266 3267 ba6415 CreateFileA 3266->3267 3268 ba6448 WriteFile 3267->3268 3269 ba643a 3267->3269 3270 ba6465 CloseHandle 3268->3270 3272 ba6ce0 4 API calls 3269->3272 3270->3269 3273 ba648f 3272->3273 3274 ba3100 3275 ba31b0 3274->3275 3277 ba3111 3274->3277 3276 ba31b9 SendDlgItemMessageA 3275->3276 3278 ba3141 3275->3278 3276->3278 3279 ba3149 GetDesktopWindow 3277->3279 3280 ba311d 3277->3280 3282 ba43d0 11 API calls 3279->3282 3280->3278 3281 ba3138 EndDialog 3280->3281 3281->3278 3283 ba315d 6 API calls 3282->3283 3283->3278 3284 ba4200 3285 ba420b SendMessageA 3284->3285 3286 ba421e 3284->3286 3285->3286 3287 ba6f40 SetUnhandledExceptionFilter

                                                                                                                                                                                                                  Callgraph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  • Opacity -> Relevance
                                                                                                                                                                                                                  • Disassembly available
                                                                                                                                                                                                                  callgraph 0 Function_00BA44B9 28 Function_00BA1680 0->28 53 Function_00BA6CE0 0->53 65 Function_00BA67C9 0->65 82 Function_00BA171E 0->82 83 Function_00BA681F 0->83 1 Function_00BA6FBE 115 Function_00BA6F54 1->115 2 Function_00BA16B3 32 Function_00BA1781 2->32 3 Function_00BA69B0 3->1 49 Function_00BA71EF 3->49 95 Function_00BA7000 3->95 101 Function_00BA6C70 3->101 4 Function_00BA52B6 22 Function_00BA2390 4->22 4->32 45 Function_00BA65E8 4->45 4->53 57 Function_00BA1FE1 4->57 5 Function_00BA2CAA 5->0 10 Function_00BA18A3 5->10 19 Function_00BA5C9E 5->19 5->22 27 Function_00BA468F 5->27 46 Function_00BA36EE 5->46 5->53 88 Function_00BA6517 5->88 6 Function_00BA66AE 7 Function_00BA2AAC 7->28 7->45 7->53 64 Function_00BA17C8 7->64 8 Function_00BA3BA2 8->0 23 Function_00BA6495 8->23 8->27 8->32 34 Function_00BA6285 8->34 43 Function_00BA1AE8 8->43 48 Function_00BA3FEF 8->48 8->53 74 Function_00BA202A 8->74 110 Function_00BA2267 8->110 9 Function_00BA72A2 47 Function_00BA17EE 10->47 10->53 11 Function_00BA55A0 11->0 24 Function_00BA658A 11->24 11->27 11->32 11->34 11->53 72 Function_00BA2630 11->72 11->88 98 Function_00BA597D 11->98 109 Function_00BA5467 11->109 112 Function_00BA6952 11->112 12 Function_00BA4CA0 13 Function_00BA53A1 13->24 13->28 13->53 13->82 14 Function_00BA6FA1 15 Function_00BA1EA7 103 Function_00BA256D 15->103 16 Function_00BA6FA5 118 Function_00BA724D 16->118 17 Function_00BA6298 17->53 17->82 18 Function_00BA4E99 18->28 19->0 19->24 19->28 52 Function_00BA31E0 19->52 19->53 63 Function_00BA66C8 19->63 75 Function_00BA6E2A 19->75 87 Function_00BA5C17 19->87 97 Function_00BA667F 19->97 20 Function_00BA6793 21 Function_00BA1F90 21->0 21->15 21->53 22->2 22->22 22->24 22->28 22->53 23->24 23->32 23->53 24->2 25 Function_00BA268B 25->0 25->53 25->82 26 Function_00BA2A89 28->32 29 Function_00BA4980 29->0 96 Function_00BA487A 29->96 30 Function_00BA3680 31 Function_00BA6380 33 Function_00BA1A84 33->97 35 Function_00BA2BFB 35->4 35->5 35->21 84 Function_00BA2F1D 35->84 36 Function_00BA66F9 37 Function_00BA70FE 38 Function_00BA4EFD 38->29 38->53 105 Function_00BA4B60 38->105 39 Function_00BA6CF0 40 Function_00BA34F0 40->0 40->30 61 Function_00BA43D0 40->61 41 Function_00BA6EF0 42 Function_00BA70EB 43->0 43->2 43->7 43->24 43->28 43->32 43->33 43->53 43->63 43->82 44 Function_00BA28E8 44->26 99 Function_00BA2773 44->99 46->0 46->26 46->44 46->53 46->65 46->83 47->53 48->0 48->34 48->53 80 Function_00BA411B 48->80 50 Function_00BA6BEF 51 Function_00BA4FE0 51->0 51->27 51->38 53->39 54 Function_00BA24E0 54->24 54->53 55 Function_00BA19E0 55->53 55->61 56 Function_00BA47E0 56->0 56->28 58 Function_00BA51E5 58->0 58->27 58->34 59 Function_00BA4CD0 59->18 59->29 59->53 59->56 73 Function_00BA4C37 59->73 91 Function_00BA4702 59->91 104 Function_00BA476D 59->104 59->105 60 Function_00BA4AD0 60->30 61->53 62 Function_00BA58C8 62->0 62->24 62->28 62->34 117 Function_00BA6648 63->117 65->20 66 Function_00BA4CC0 67 Function_00BA4BC0 68 Function_00BA30C0 69 Function_00BA63C0 69->24 69->32 69->53 70 Function_00BA3A3F 70->0 70->27 70->34 70->88 71 Function_00BA6C3F 72->0 72->53 74->0 74->24 74->53 74->82 75->39 76 Function_00BA7120 77 Function_00BA6A20 78 Function_00BA3B26 78->17 78->51 78->88 79 Function_00BA4224 79->0 79->28 80->15 81 Function_00BA621E 81->0 81->34 81->53 81->98 83->36 83->53 84->0 84->8 84->11 84->24 84->34 84->53 84->58 84->70 84->78 84->81 102 Function_00BA4169 84->102 84->103 111 Function_00BA5164 84->111 85 Function_00BA7010 86 Function_00BA3210 86->0 86->24 86->61 86->62 86->79 86->98 88->0 89 Function_00BA7208 90 Function_00BA490C 91->2 91->28 92 Function_00BA6C03 92->118 93 Function_00BA3100 93->61 94 Function_00BA4200 96->90 97->117 98->0 98->25 98->34 98->53 99->24 99->28 99->32 99->53 100 Function_00BA7270 102->0 102->27 103->54 104->6 104->88 106 Function_00BA6A60 106->35 106->71 106->89 107 Function_00BA7060 106->107 116 Function_00BA7155 106->116 106->118 107->76 107->85 108 Function_00BA6760 109->13 109->24 109->28 109->32 109->34 109->53 109->62 109->98 110->24 110->53 110->82 111->0 111->17 111->27 113 Function_00BA4A50 114 Function_00BA3450 114->61 115->89 115->118 119 Function_00BA6F40

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 00BA3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 36 ba3ba2-ba3bd9 37 ba3bdb-ba3bee call ba468f 36->37 38 ba3bfd-ba3bff 36->38 45 ba3d13-ba3d30 call ba44b9 37->45 46 ba3bf4-ba3bf7 37->46 40 ba3c03-ba3c28 memset 38->40 42 ba3c2e-ba3c40 call ba468f 40->42 43 ba3d35-ba3d48 call ba1781 40->43 42->45 51 ba3c46-ba3c49 42->51 50 ba3d4d-ba3d52 43->50 58 ba3f4d 45->58 46->38 46->45 53 ba3d9e-ba3db6 call ba1ae8 50->53 54 ba3d54-ba3d6c call ba468f 50->54 51->45 56 ba3c4f-ba3c56 51->56 53->58 69 ba3dbc-ba3dc2 53->69 54->45 65 ba3d6e-ba3d75 54->65 60 ba3c58-ba3c5e 56->60 61 ba3c60-ba3c65 56->61 63 ba3f4f-ba3f63 call ba6ce0 58->63 66 ba3c6e-ba3c73 60->66 67 ba3c67-ba3c6d 61->67 68 ba3c75-ba3c7c 61->68 71 ba3fda-ba3fe1 65->71 72 ba3d7b-ba3d98 CompareStringA 65->72 73 ba3c87-ba3c89 66->73 67->66 68->73 76 ba3c7e-ba3c82 68->76 74 ba3de6-ba3de8 69->74 75 ba3dc4-ba3dce 69->75 77 ba3fe8-ba3fea 71->77 78 ba3fe3 call ba2267 71->78 72->53 72->71 73->50 80 ba3c8f-ba3c98 73->80 81 ba3f0b-ba3f15 call ba3fef 74->81 82 ba3dee-ba3df5 74->82 75->74 79 ba3dd0-ba3dd7 75->79 76->73 77->63 78->77 79->74 85 ba3dd9-ba3ddb 79->85 86 ba3c9a-ba3c9c 80->86 87 ba3cf1-ba3cf3 80->87 92 ba3f1a-ba3f1c 81->92 88 ba3fab-ba3fd2 call ba44b9 LocalFree 82->88 89 ba3dfb-ba3dfd 82->89 85->82 93 ba3ddd-ba3de1 call ba202a 85->93 95 ba3c9e-ba3ca3 86->95 96 ba3ca5-ba3ca7 86->96 87->53 91 ba3cf9-ba3d11 call ba468f 87->91 88->58 89->81 90 ba3e03-ba3e0a 89->90 90->81 97 ba3e10-ba3e19 call ba6495 90->97 91->45 91->50 99 ba3f1e-ba3f2d LocalFree 92->99 100 ba3f46-ba3f47 LocalFree 92->100 93->74 103 ba3cb2-ba3cc5 call ba468f 95->103 96->58 104 ba3cad 96->104 113 ba3e1f-ba3e36 GetProcAddress 97->113 114 ba3f92-ba3fa9 call ba44b9 97->114 108 ba3f33-ba3f3b 99->108 109 ba3fd7-ba3fd9 99->109 100->58 103->45 112 ba3cc7-ba3ce8 CompareStringA 103->112 104->103 108->40 109->71 112->87 115 ba3cea-ba3ced 112->115 116 ba3e3c-ba3e80 113->116 117 ba3f64-ba3f76 call ba44b9 FreeLibrary 113->117 126 ba3f7c-ba3f90 LocalFree call ba6285 114->126 115->87 120 ba3e8b-ba3e94 116->120 121 ba3e82-ba3e87 116->121 117->126 124 ba3e9f-ba3ea2 120->124 125 ba3e96-ba3e9b 120->125 121->120 128 ba3ead-ba3eb6 124->128 129 ba3ea4-ba3ea9 124->129 125->124 126->58 131 ba3eb8-ba3ebd 128->131 132 ba3ec1-ba3ec3 128->132 129->128 131->132 133 ba3ece-ba3eec 132->133 134 ba3ec5-ba3eca 132->134 137 ba3eee-ba3ef3 133->137 138 ba3ef5-ba3efd 133->138 134->133 137->138 139 ba3eff-ba3f09 FreeLibrary 138->139 140 ba3f40 FreeLibrary 138->140 139->99 140->100
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA3C11
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00BA3CDC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00BA8C42), ref: 00BA3D8F
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00BA3E26
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00BA8C42), ref: 00BA3EFF
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00BA8C42), ref: 00BA3F1F
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00BA8C42), ref: 00BA3F40
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00BA8C42), ref: 00BA3F47
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00BA8C42), ref: 00BA3F76
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00BA8C42), ref: 00BA3F80
                                                                                                                                                                                                                  • LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00BA8C42), ref: 00BA3FC2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                                                                                                                                  • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$smo
                                                                                                                                                                                                                  • API String ID: 1032054927-1275553841
                                                                                                                                                                                                                  • Opcode ID: 6d7f8c93278e57fb5108200c0aca89cb9ef802e42d14e39f6b0a5a4b86e18f32
                                                                                                                                                                                                                  • Instruction ID: b31059fddd091eacca4c81be4b177f2b89fe8971dd656d20e78390bf3bf92409
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d7f8c93278e57fb5108200c0aca89cb9ef802e42d14e39f6b0a5a4b86e18f32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAB1C370A1C3019FD760DF28D846B6B76E4EB87B50F1009AEFA95D7190EB71C944CB62
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 141 ba1ae8-ba1b2c call ba1680 144 ba1b3b-ba1b40 141->144 145 ba1b2e-ba1b39 141->145 146 ba1b46-ba1b61 call ba1a84 144->146 145->146 149 ba1b9f-ba1bc2 call ba1781 call ba658a 146->149 150 ba1b63-ba1b65 146->150 157 ba1bc7-ba1bd3 call ba66c8 149->157 152 ba1b68-ba1b6d 150->152 152->152 154 ba1b6f-ba1b74 152->154 154->149 156 ba1b76-ba1b7b 154->156 158 ba1b7d-ba1b81 156->158 159 ba1b83-ba1b86 156->159 165 ba1bd9-ba1bf1 CompareStringA 157->165 166 ba1d73-ba1d7f call ba66c8 157->166 158->159 161 ba1b8c-ba1b9d call ba1680 158->161 159->149 162 ba1b88-ba1b8a 159->162 161->157 162->149 162->161 165->166 168 ba1bf7-ba1c07 GetFileAttributesA 165->168 175 ba1df8-ba1e09 LocalAlloc 166->175 176 ba1d81-ba1d99 CompareStringA 166->176 170 ba1c0d-ba1c15 168->170 171 ba1d53-ba1d5e 168->171 170->171 174 ba1c1b-ba1c33 call ba1a84 170->174 173 ba1d64-ba1d6e call ba44b9 171->173 188 ba1e94-ba1ea4 call ba6ce0 173->188 190 ba1c50-ba1c61 LocalAlloc 174->190 191 ba1c35-ba1c38 174->191 178 ba1e0b-ba1e1b GetFileAttributesA 175->178 179 ba1dd4-ba1ddf 175->179 176->175 181 ba1d9b-ba1da2 176->181 183 ba1e1d-ba1e1f 178->183 184 ba1e67-ba1e73 call ba1680 178->184 179->173 186 ba1da5-ba1daa 181->186 183->184 189 ba1e21-ba1e3e call ba1781 183->189 194 ba1e78-ba1e84 call ba2aac 184->194 186->186 192 ba1dac-ba1db4 186->192 189->194 211 ba1e40-ba1e43 189->211 190->179 193 ba1c67-ba1c72 190->193 197 ba1c3a 191->197 198 ba1c40-ba1c4b call ba1a84 191->198 199 ba1db7-ba1dbc 192->199 202 ba1c79-ba1cc0 GetPrivateProfileIntA GetPrivateProfileStringA 193->202 203 ba1c74 193->203 210 ba1e89-ba1e92 194->210 197->198 198->190 199->199 201 ba1dbe-ba1dd2 LocalAlloc 199->201 201->179 207 ba1de1-ba1df3 call ba171e 201->207 208 ba1cf8-ba1d07 202->208 209 ba1cc2-ba1ccc 202->209 203->202 207->210 216 ba1d09-ba1d21 GetShortPathNameA 208->216 217 ba1d23 208->217 213 ba1cce 209->213 214 ba1cd3-ba1cf3 call ba1680 * 2 209->214 210->188 211->194 215 ba1e45-ba1e65 call ba16b3 * 2 211->215 213->214 214->210 215->194 221 ba1d28-ba1d2b 216->221 217->221 222 ba1d2d 221->222 223 ba1d32-ba1d4e call ba171e 221->223 222->223 223->210
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00BA1BE7
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00BA1BFE
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00BA1C57
                                                                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00BA1C88
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00BA1140,00000000,00000008,?), ref: 00BA1CB8
                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00BA1D1B
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                                                                                                                                  • String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                                                                                                                  • API String ID: 383838535-852641736
                                                                                                                                                                                                                  • Opcode ID: 4191ef1f633e46bade6a9b472433ebf3bcf51e4ffebe6f6acedee0514635207e
                                                                                                                                                                                                                  • Instruction ID: 3e3dac493396d24bc0728301d79bdd13d7cc363e7ea57ab53f4051a68dd4594b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4191ef1f633e46bade6a9b472433ebf3bcf51e4ffebe6f6acedee0514635207e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEA15B71A0C2146BEBA09B2CCC45BEA77E9DB47310F144AE5E595B32D0DFB09D85CB60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120libraryfileloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 466 ba2f1d-ba2f3d 467 ba2f3f-ba2f46 466->467 468 ba2f6c-ba2f73 call ba5164 466->468 469 ba2f48 call ba51e5 467->469 470 ba2f5f-ba2f66 call ba3a3f 467->470 477 ba2f79-ba2f80 call ba55a0 468->477 478 ba3041 468->478 475 ba2f4d-ba2f4f 469->475 470->468 470->478 475->478 480 ba2f55-ba2f5d 475->480 477->478 484 ba2f86-ba2fbe GetSystemDirectoryA call ba658a LoadLibraryA 477->484 479 ba3043-ba3053 call ba6ce0 478->479 480->468 480->470 488 ba2fc0-ba2fd4 GetProcAddress 484->488 489 ba2ff7-ba3004 FreeLibrary 484->489 488->489 490 ba2fd6-ba2fee DecryptFileA 488->490 491 ba3006-ba300c 489->491 492 ba3017-ba3024 SetCurrentDirectoryA 489->492 490->489 502 ba2ff0-ba2ff5 490->502 491->492 493 ba300e call ba621e 491->493 494 ba3026-ba303c call ba44b9 call ba6285 492->494 495 ba3054-ba305a 492->495 506 ba3013-ba3015 493->506 494->478 497 ba305c call ba3b26 495->497 498 ba3065-ba306c 495->498 510 ba3061-ba3063 497->510 504 ba306e-ba3075 call ba256d 498->504 505 ba307c-ba3089 498->505 502->489 516 ba307a 504->516 507 ba308b-ba3091 505->507 508 ba30a1-ba30a9 505->508 506->478 506->492 507->508 512 ba3093 call ba3ba2 507->512 514 ba30ab-ba30ad 508->514 515 ba30b4-ba30b7 508->515 510->478 510->498 519 ba3098-ba309a 512->519 514->515 518 ba30af call ba4169 514->518 515->479 516->505 518->515 519->478 521 ba309c 519->521 521->508
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00BA2F93
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00BA2FB2
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00BA2FC6
                                                                                                                                                                                                                  • DecryptFileA.ADVAPI32 ref: 00BA2FE6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00BA2FF8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA301C
                                                                                                                                                                                                                    • Part of subcall function 00BA51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00BA2F4D,?,00000002,00000000), ref: 00BA5201
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DecryptFileA$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 2126469477-2099937843
                                                                                                                                                                                                                  • Opcode ID: 468a057a8a617e48fbea96ddbf13c6e60030f9c32358afdd18b1c18354a1c41b
                                                                                                                                                                                                                  • Instruction ID: 866598fb1b092e28485ed4392f3aabdea76429d2ba69a01d2e1ff6f13caef64e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 468a057a8a617e48fbea96ddbf13c6e60030f9c32358afdd18b1c18354a1c41b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D41D330A082059EDB30AB75EC4B76A37E9EB67B50F0000E6F941D35A1EF74CE80CA61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2390 Relevance: 12.1, APIs: 8, Instructions: 93filestringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,00BA8A3A,00BA11F4,00BA8A3A,00000000,?,?), ref: 00BA23F6
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,00BA11F8), ref: 00BA2427
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(?,00BA11FC), ref: 00BA243B
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00BA2495
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00BA24A3
                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(00000000,00000010), ref: 00BA24AF
                                                                                                                                                                                                                  • FindClose.KERNELBASE(00000000), ref: 00BA24BE
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(00BA8A3A), ref: 00BA24C5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836429354-0
                                                                                                                                                                                                                  • Opcode ID: 0988155890a2c14ae7759e9e1eb42bd57c19dc3cc1cb14193363b90fa8279f8e
                                                                                                                                                                                                                  • Instruction ID: 74bfb4521942b3eb6543323b021e92cdb68006991cce963f621c78f1c22668d8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0988155890a2c14ae7759e9e1eb42bd57c19dc3cc1cb14193363b90fa8279f8e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90316031608640ABD321DBA8CD8AAEB73ECEB8B305F04496DA55587290EF349909C762
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersion.KERNEL32(?,00000002,00000000,?,00BA6BB0,00BA0000,00000000,00000002,0000000A), ref: 00BA2C03
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(Kernel32.dll,?,00BA6BB0,00BA0000,00000000,00000002,0000000A), ref: 00BA2C18
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00BA2C28
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00BA6BB0,00BA0000,00000000,00000002,0000000A), ref: 00BA2C98
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Handle$AddressCloseModuleProcVersion
                                                                                                                                                                                                                  • String ID: HeapSetInformation$Kernel32.dll
                                                                                                                                                                                                                  • API String ID: 62482547-3460614246
                                                                                                                                                                                                                  • Opcode ID: 06789c4e427d5b9b3a6a87fce34b91c4a0ba852fb5a1895389541c9a7fe0e088
                                                                                                                                                                                                                  • Instruction ID: f9f942886cbf09ec17e6142165a42ac14b9f4a394a092dfc3fc950eeaa82728b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06789c4e427d5b9b3a6a87fce34b91c4a0ba852fb5a1895389541c9a7fe0e088
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF11CE312083057BD7206BBCAC8AB6F37E9DB8B7A0B0500A5F900E3260EF31DC01C661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185registrylibrarymemoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA2050
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA205F
                                                                                                                                                                                                                  • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00BA208C
                                                                                                                                                                                                                    • Part of subcall function 00BA171E: _vsnprintf.MSVCRT ref: 00BA1750
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA20C9
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA20EA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00BA2103
                                                                                                                                                                                                                  • LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA2122
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00BA2134
                                                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA2144
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00BA215B
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA218C
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA21C1
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA21E4
                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00BA223D
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA2249
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00BA2250
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                                                                                                                                                  • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup2
                                                                                                                                                                                                                  • API String ID: 178549006-2699677747
                                                                                                                                                                                                                  • Opcode ID: 7809f149a93be661bfaa018d360a1014ec350f591af9bc7d3ef24ff55781831a
                                                                                                                                                                                                                  • Instruction ID: f3c6dc013c4446a2d5b8b21ab73efa9606b9ce9b41b1b950aa38f31000fd7fe7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7809f149a93be661bfaa018d360a1014ec350f591af9bc7d3ef24ff55781831a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C051B271A08214ABDB309B68DC4AFFA77A8EB57700F0041E5FA49A7151EF719D49CA60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 232 ba55a0-ba55d9 call ba468f LocalAlloc 235 ba55db-ba55f1 call ba44b9 call ba6285 232->235 236 ba55fd-ba560c call ba468f 232->236 248 ba55f6-ba55f8 235->248 242 ba560e-ba5630 call ba44b9 LocalFree 236->242 243 ba5632-ba5643 lstrcmpA 236->243 242->248 246 ba564b-ba5659 LocalFree 243->246 247 ba5645 243->247 250 ba565b-ba565d 246->250 251 ba5696-ba569c 246->251 247->246 254 ba58b7-ba58c7 call ba6ce0 248->254 252 ba5669 250->252 253 ba565f-ba5667 250->253 255 ba589f-ba58b5 call ba6517 251->255 256 ba56a2-ba56a8 251->256 257 ba566b-ba567a call ba5467 252->257 253->252 253->257 255->254 256->255 260 ba56ae-ba56c1 GetTempPathA 256->260 269 ba589b-ba589d 257->269 270 ba5680-ba5691 call ba44b9 257->270 264 ba56f3-ba5711 call ba1781 260->264 265 ba56c3-ba56c9 call ba5467 260->265 274 ba586c-ba5890 GetWindowsDirectoryA call ba597d 264->274 275 ba5717-ba5729 GetDriveTypeA 264->275 272 ba56ce-ba56d0 265->272 269->254 270->248 272->269 276 ba56d6-ba56df call ba2630 272->276 274->264 286 ba5896 274->286 278 ba572b-ba572e 275->278 279 ba5730-ba5740 GetFileAttributesA 275->279 276->264 287 ba56e1-ba56ed call ba5467 276->287 278->279 284 ba5742-ba5745 278->284 279->284 285 ba577e-ba578f call ba597d 279->285 289 ba576b 284->289 290 ba5747-ba574f 284->290 297 ba57b2-ba57bf call ba2630 285->297 298 ba5791-ba579e call ba2630 285->298 286->269 287->264 287->269 292 ba5771-ba5779 289->292 290->292 294 ba5751-ba5753 290->294 296 ba5864-ba5866 292->296 294->292 299 ba5755-ba5762 call ba6952 294->299 296->274 296->275 308 ba57d3-ba57f8 call ba658a GetFileAttributesA 297->308 309 ba57c1-ba57cd GetWindowsDirectoryA 297->309 298->289 307 ba57a0-ba57b0 call ba597d 298->307 299->289 306 ba5764-ba5769 299->306 306->285 306->289 307->289 307->297 314 ba580a 308->314 315 ba57fa-ba5808 CreateDirectoryA 308->315 309->308 316 ba580d-ba580f 314->316 315->316 317 ba5811-ba5825 316->317 318 ba5827-ba585c SetFileAttributesA call ba1781 call ba5467 316->318 317->296 318->269 323 ba585e 318->323 323->296
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00BA55CF
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00BA5638
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00BA564C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00BA5620
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                    • Part of subcall function 00BA6285: GetLastError.KERNEL32(00BA5BBC), ref: 00BA6285
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA56B9
                                                                                                                                                                                                                  • GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00BA571E
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00BA5737
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00BA57CD
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00BA57EF
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00BA5802
                                                                                                                                                                                                                    • Part of subcall function 00BA2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00BA2654
                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00BA5830
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: FindResourceA.KERNEL32(00BA0000,000007D6,00000005), ref: 00BA652A
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: LoadResource.KERNEL32(00BA0000,00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00BA6538
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: DialogBoxIndirectParamA.USER32(00BA0000,00000000,00000547,00BA19E0,00000000), ref: 00BA6557
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: FreeResource.KERNEL32(00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00BA6560
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00BA5878
                                                                                                                                                                                                                    • Part of subcall function 00BA597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00BA59A8
                                                                                                                                                                                                                    • Part of subcall function 00BA597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 00BA59AF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                                                                                                                  • API String ID: 2436801531-2610921595
                                                                                                                                                                                                                  • Opcode ID: be5f6668aecf06d539d671f000dab2feff3677d86aa14c1c10ff5a65e3056107
                                                                                                                                                                                                                  • Instruction ID: b8620dfcc02c371cae945c28f8d402dbf6452e49c17e0cac1f44f86c69591fb1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be5f6668aecf06d539d671f000dab2feff3677d86aa14c1c10ff5a65e3056107
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE81F871A0CA04AADB34AB249C85BEE76EDDB67300F4404E5F586E3591EF748FC5CA60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183synchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 324 ba2caa-ba2d1c memset * 3 call ba468f 327 ba2d22-ba2d27 324->327 328 ba2ef3 324->328 327->328 329 ba2d2d-ba2d59 CreateEventA SetEvent call ba468f 327->329 330 ba2ef8-ba2f01 call ba44b9 328->330 335 ba2d5b-ba2d78 call ba44b9 329->335 336 ba2d7d-ba2d84 329->336 334 ba2f06 330->334 337 ba2f08-ba2f18 call ba6ce0 334->337 335->334 339 ba2d8a-ba2da1 call ba468f 336->339 340 ba2e1f-ba2e2e call ba5c9e 336->340 339->335 348 ba2da3-ba2dbb CreateMutexA 339->348 349 ba2e3a-ba2e41 340->349 350 ba2e30-ba2e35 340->350 348->340 353 ba2dbd-ba2dc8 GetLastError 348->353 351 ba2e52-ba2e62 FindResourceA 349->351 352 ba2e43-ba2e4d call ba2390 349->352 350->330 356 ba2e6e-ba2e75 351->356 357 ba2e64-ba2e6c LoadResource 351->357 352->334 353->340 355 ba2dca-ba2dd3 353->355 359 ba2dea-ba2e02 call ba44b9 355->359 360 ba2dd5-ba2de8 call ba44b9 355->360 361 ba2e7d-ba2e84 356->361 362 ba2e77 356->362 357->356 359->340 370 ba2e04-ba2e1a CloseHandle 359->370 360->370 365 ba2e8b-ba2e94 call ba36ee 361->365 366 ba2e86-ba2e89 361->366 362->361 365->334 372 ba2e96-ba2ea2 365->372 366->337 370->334 373 ba2eb0-ba2eba 372->373 374 ba2ea4-ba2ea8 372->374 376 ba2eef-ba2ef1 373->376 377 ba2ebc-ba2ec3 373->377 374->373 375 ba2eaa-ba2eae 374->375 375->373 375->376 376->337 377->376 378 ba2ec5-ba2ecc call ba18a3 377->378 378->376 381 ba2ece-ba2eed call ba6517 378->381 381->334 381->376
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA2CD9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA2CE9
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA2CF9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA2D34
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA2D40
                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA2DAE
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00BA2DBD
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(smo,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA2E0A
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$smo
                                                                                                                                                                                                                  • API String ID: 1002816675-4137116347
                                                                                                                                                                                                                  • Opcode ID: f74abed43869d5a6abbef551e13eed9e33d8b2391081af7c60e4ddd02c5e08c5
                                                                                                                                                                                                                  • Instruction ID: 72abfd12d0dcbc7f417ae7e0e07f8584c22a3f18890faca4add13fc4222c3d60
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f74abed43869d5a6abbef551e13eed9e33d8b2391081af7c60e4ddd02c5e08c5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4451AE7074C301BAE764AB2C9C4BB7B36D9EB97700F0440BAF941D65E1EFB48882D625
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA597D Relevance: 19.7, APIs: 13, Instructions: 212windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 384 ba597d-ba59b9 GetCurrentDirectoryA SetCurrentDirectoryA 385 ba59bb-ba59d8 call ba44b9 call ba6285 384->385 386 ba59dd-ba5a1b GetDiskFreeSpaceA 384->386 401 ba5c05-ba5c14 call ba6ce0 385->401 388 ba5ba1-ba5bde memset call ba6285 GetLastError FormatMessageA 386->388 389 ba5a21-ba5a4a MulDiv 386->389 398 ba5be3-ba5bfc call ba44b9 SetCurrentDirectoryA 388->398 389->388 392 ba5a50-ba5a6c GetVolumeInformationA 389->392 395 ba5a6e-ba5ab0 memset call ba6285 GetLastError FormatMessageA 392->395 396 ba5ab5-ba5aca SetCurrentDirectoryA 392->396 395->398 400 ba5acc-ba5ad1 396->400 413 ba5c02 398->413 404 ba5ae2-ba5ae4 400->404 405 ba5ad3-ba5ad8 400->405 406 ba5ae6 404->406 407 ba5ae7-ba5af8 404->407 405->404 409 ba5ada-ba5ae0 405->409 406->407 412 ba5af9-ba5afb 407->412 409->400 409->404 414 ba5afd-ba5b03 412->414 415 ba5b05-ba5b08 412->415 416 ba5c04 413->416 414->412 414->415 417 ba5b0a-ba5b1b call ba44b9 415->417 418 ba5b20-ba5b27 415->418 416->401 417->413 420 ba5b29-ba5b33 418->420 421 ba5b52-ba5b5b 418->421 420->421 423 ba5b35-ba5b50 420->423 424 ba5b62-ba5b6d 421->424 423->424 425 ba5b6f-ba5b74 424->425 426 ba5b76-ba5b7d 424->426 427 ba5b85 425->427 428 ba5b7f-ba5b81 426->428 429 ba5b83 426->429 430 ba5b96-ba5b9f 427->430 431 ba5b87-ba5b94 call ba268b 427->431 428->427 429->427 430->416 431->416
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00BA59A8
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 00BA59AF
                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00BA5A13
                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,?,00000400), ref: 00BA5A40
                                                                                                                                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00BA5A64
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA5A7C
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00BA5A98
                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00BA5AA5
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00BA5BFC
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                    • Part of subcall function 00BA6285: GetLastError.KERNEL32(00BA5BBC), ref: 00BA6285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4237285672-0
                                                                                                                                                                                                                  • Opcode ID: b5e7cdfb53dba937283fa80726ad480184406556b65d17c3acf86903dd0cb231
                                                                                                                                                                                                                  • Instruction ID: 2e4851f64fcc2eff0bd72980e4d6179c718db065fa766c306ae1396fe01ea583
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5e7cdfb53dba937283fa80726ad480184406556b65d17c3acf86903dd0cb231
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 727170B1A04618ABEB259F64CC86BFB77ECEB4A340F5441E9F50697140EA709F85CB70
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 434 ba4fe0-ba501a call ba468f FindResourceA LoadResource LockResource 437 ba5020-ba5027 434->437 438 ba5161-ba5163 434->438 439 ba5029-ba5051 GetDlgItem ShowWindow GetDlgItem ShowWindow 437->439 440 ba5057-ba505e call ba4efd 437->440 439->440 443 ba507c-ba50b4 440->443 444 ba5060-ba5077 call ba44b9 440->444 449 ba50e8-ba5104 call ba44b9 443->449 450 ba50b6-ba50da 443->450 448 ba5107-ba510e 444->448 452 ba511d-ba511f 448->452 453 ba5110-ba5117 FreeResource 448->453 458 ba5106 449->458 450->458 462 ba50dc 450->462 455 ba513a-ba5141 452->455 456 ba5121-ba5127 452->456 453->452 460 ba515f 455->460 461 ba5143-ba514a 455->461 456->455 459 ba5129-ba5135 call ba44b9 456->459 458->448 459->455 460->438 461->460 464 ba514c-ba5159 SendMessageA 461->464 465 ba50e3-ba50e6 462->465 464->460 465->449 465->458
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00BA4FFE
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 00BA5006
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00BA500D
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000000,00000842), ref: 00BA5030
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00BA5037
                                                                                                                                                                                                                  • GetDlgItem.USER32(00000841,00000005), ref: 00BA504A
                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00BA5051
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00BA5111
                                                                                                                                                                                                                  • SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00BA5159
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: *MEMCAB$CABINET
                                                                                                                                                                                                                  • API String ID: 1305606123-2642027498
                                                                                                                                                                                                                  • Opcode ID: 9752d273999b701be96468336622e6e1f9dd8ee2ee20f8c81520b550fb99c71b
                                                                                                                                                                                                                  • Instruction ID: 726f879813a9e44266b9d152907d80a8dc6928f7b5a90df19b38f5ce404c50c9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9752d273999b701be96468336622e6e1f9dd8ee2ee20f8c81520b550fb99c71b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61318CB06487027BE7305B65AD8BF673ADCEB8BB55F0400A5F906B32A1DFB48C40D661
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA171E: _vsnprintf.MSVCRT ref: 00BA1750
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA53FB
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5402
                                                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA541F
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA542B
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5434
                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5452
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$IXP$IXP%03d.TMP
                                                                                                                                                                                                                  • API String ID: 1082909758-7194216
                                                                                                                                                                                                                  • Opcode ID: 6289a1a372a3fd0614143dd2ddf529d59e73ace130cc1d76508243850483ce34
                                                                                                                                                                                                                  • Instruction ID: 497b1255581fee4c4ce45b810cf12b4778e8e156c008fd5623f36184e1b6bb6d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6289a1a372a3fd0614143dd2ddf529d59e73ace130cc1d76508243850483ce34
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF11E27170860477D7309B269C4AFAF36ADEBC7321F0000A5B546D32A0DF748E42C6B5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 538 ba5467-ba5484 539 ba548a-ba5490 call ba53a1 538->539 540 ba551c-ba5528 call ba1680 538->540 543 ba5495-ba5497 539->543 544 ba552d-ba5539 call ba58c8 540->544 546 ba549d-ba54c0 call ba1781 543->546 547 ba5581-ba5583 543->547 552 ba553b-ba5545 CreateDirectoryA 544->552 553 ba554d-ba5552 544->553 555 ba550c-ba551a call ba658a 546->555 556 ba54c2-ba54d8 GetSystemInfo 546->556 550 ba558d-ba559d call ba6ce0 547->550 558 ba5577-ba557c call ba6285 552->558 559 ba5547 552->559 560 ba5554-ba5557 call ba597d 553->560 561 ba5585-ba558b 553->561 555->544 562 ba54da-ba54dd 556->562 563 ba54fe 556->563 558->547 559->553 569 ba555c-ba555e 560->569 561->550 567 ba54df-ba54e2 562->567 568 ba54f7-ba54fc 562->568 570 ba5503-ba5507 call ba658a 563->570 573 ba54f0-ba54f5 567->573 574 ba54e4-ba54e7 567->574 568->570 569->561 575 ba5560-ba5566 569->575 570->555 573->570 574->555 577 ba54e9-ba54ee 574->577 575->547 578 ba5568-ba5575 RemoveDirectoryA 575->578 577->570 578->547
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA54C9
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA553D
                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA556F
                                                                                                                                                                                                                    • Part of subcall function 00BA53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA53FB
                                                                                                                                                                                                                    • Part of subcall function 00BA53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5402
                                                                                                                                                                                                                    • Part of subcall function 00BA53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA541F
                                                                                                                                                                                                                    • Part of subcall function 00BA53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA542B
                                                                                                                                                                                                                    • Part of subcall function 00BA53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5434
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$alpha$i386$mips$ppc
                                                                                                                                                                                                                  • API String ID: 1979080616-3696344869
                                                                                                                                                                                                                  • Opcode ID: c640d1c0ec1377bac7a3efe2aa04f990a9cb9e40eef239f664ca3edf5fd8dfaa
                                                                                                                                                                                                                  • Instruction ID: edf2c66d46d0d57b9d8c4823b07414510cf9deecff245a3c94e3b2142889b95b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c640d1c0ec1377bac7a3efe2aa04f990a9cb9e40eef239f664ca3edf5fd8dfaa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1531D471F0CA146BCB309F2D9C46ABE77EAEBA7740B0401EAA40293650DF70CF459A95
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 579 ba256d-ba257d 580 ba2622-ba2627 call ba24e0 579->580 581 ba2583-ba2589 579->581 588 ba2629-ba262f 580->588 583 ba258b 581->583 584 ba25e8-ba2607 RegOpenKeyExA 581->584 583->588 589 ba2591-ba2595 583->589 585 ba2609-ba2620 RegQueryInfoKeyA 584->585 586 ba25e3-ba25e6 584->586 590 ba25d1-ba25dd RegCloseKey 585->590 586->588 589->588 591 ba259b-ba25ba RegOpenKeyExA 589->591 590->586 591->586 592 ba25bc-ba25cb RegQueryValueExA 591->592 592->590
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00BA4096,00BA4096,?,00BA1ED3,00000001,00000000,?,?,00BA4137,?), ref: 00BA25B2
                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00BA4096,?,00BA1ED3,00000001,00000000,?,?,00BA4137,?,00BA4096), ref: 00BA25CB
                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,00BA1ED3,00000001,00000000,?,?,00BA4137,?,00BA4096), ref: 00BA25DD
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00BA4096,00BA4096,?,00BA1ED3,00000001,00000000,?,?,00BA4137,?), ref: 00BA25FF
                                                                                                                                                                                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00BA4096,00000000,00000000,00000000,00000000,?,00BA1ED3,00000001,00000000), ref: 00BA261A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00BA25F5
                                                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 00BA25C3
                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager, xrefs: 00BA25A8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: OpenQuery$CloseInfoValue
                                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                                                                                                                                  • API String ID: 2209512893-559176071
                                                                                                                                                                                                                  • Opcode ID: 341249be3743d1fe730fde697dffe720831cd994f0ea09ecf0e0ce2e46529c28
                                                                                                                                                                                                                  • Instruction ID: 79cf31c7c670ba113c9ca3eacaf2d8e257ffd86e27d460c360be97a9b6bc4869
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 341249be3743d1fe730fde697dffe720831cd994f0ea09ecf0e0ce2e46529c28
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D114F35D46228BB9B309B999C1ADFBBEBCEF177A1F104095F908A2010DB305E44D6B1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA6A60 Relevance: 13.6, APIs: 9, Instructions: 138sleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 593 ba6a60-ba6a91 call ba7155 call ba7208 GetStartupInfoW 599 ba6a93-ba6aa2 593->599 600 ba6abc-ba6abe 599->600 601 ba6aa4-ba6aa6 599->601 604 ba6abf-ba6ac5 600->604 602 ba6aa8-ba6aad 601->602 603 ba6aaf-ba6aba Sleep 601->603 602->604 603->599 605 ba6ad1-ba6ad7 604->605 606 ba6ac7-ba6acf _amsg_exit 604->606 608 ba6ad9-ba6af2 call ba6c3f 605->608 609 ba6b05 605->609 607 ba6b0b-ba6b11 606->607 611 ba6b2e-ba6b30 607->611 612 ba6b13-ba6b24 _initterm 607->612 608->607 618 ba6af4-ba6b00 608->618 609->607 614 ba6b3b-ba6b42 611->614 615 ba6b32-ba6b39 611->615 612->611 616 ba6b67-ba6b71 614->616 617 ba6b44-ba6b51 call ba7060 614->617 615->614 620 ba6b74-ba6b79 616->620 617->616 626 ba6b53-ba6b65 617->626 621 ba6c39-ba6c3e call ba724d 618->621 624 ba6b7b-ba6b7d 620->624 625 ba6bc5-ba6bc8 620->625 630 ba6b7f-ba6b81 624->630 631 ba6b94-ba6b98 624->631 628 ba6bca-ba6bd3 625->628 629 ba6bd6-ba6be3 _ismbblead 625->629 626->616 628->629 634 ba6be9-ba6bed 629->634 635 ba6be5-ba6be6 629->635 630->625 636 ba6b83-ba6b85 630->636 632 ba6b9a-ba6b9e 631->632 633 ba6ba0-ba6ba2 631->633 637 ba6ba3-ba6bbc call ba2bfb 632->637 633->637 634->620 639 ba6c1e-ba6c25 634->639 635->634 636->631 640 ba6b87-ba6b8a 636->640 637->639 646 ba6bbe-ba6bbf exit 637->646 641 ba6c32 639->641 642 ba6c27-ba6c2d _cexit 639->642 640->631 644 ba6b8c-ba6b92 640->644 641->621 642->641 644->636 646->625
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00BA7182
                                                                                                                                                                                                                    • Part of subcall function 00BA7155: GetCurrentProcessId.KERNEL32 ref: 00BA7191
                                                                                                                                                                                                                    • Part of subcall function 00BA7155: GetCurrentThreadId.KERNEL32 ref: 00BA719A
                                                                                                                                                                                                                    • Part of subcall function 00BA7155: GetTickCount.KERNEL32 ref: 00BA71A3
                                                                                                                                                                                                                    • Part of subcall function 00BA7155: QueryPerformanceCounter.KERNEL32(?), ref: 00BA71B8
                                                                                                                                                                                                                  • GetStartupInfoW.KERNEL32(?,00BA72B8,00000058), ref: 00BA6A7F
                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 00BA6AB4
                                                                                                                                                                                                                  • _amsg_exit.MSVCRT ref: 00BA6AC9
                                                                                                                                                                                                                  • _initterm.MSVCRT ref: 00BA6B1D
                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BA6B49
                                                                                                                                                                                                                  • exit.KERNELBASE ref: 00BA6BBF
                                                                                                                                                                                                                  • _ismbblead.MSVCRT ref: 00BA6BDA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 836923961-0
                                                                                                                                                                                                                  • Opcode ID: 1b77ae933d5f85ba35932fb254d9268545fa1e46a61eb531e8e948f163152ad4
                                                                                                                                                                                                                  • Instruction ID: ae4784c39ca047ee55757bea34a23faccc4a4ab26ab7c0c98340a6ce57092587
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b77ae933d5f85ba35932fb254d9268545fa1e46a61eb531e8e948f163152ad4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD41A0B194C3259FDB219B68DC4676E77E4EB4B720F98419AE841E36A0DF744C41CAA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74memoryfileCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 647 ba58c8-ba58d5 648 ba58d8-ba58dd 647->648 648->648 649 ba58df-ba58f1 LocalAlloc 648->649 650 ba5919-ba5959 call ba1680 call ba658a CreateFileA LocalFree 649->650 651 ba58f3-ba5901 call ba44b9 649->651 654 ba5906-ba5910 call ba6285 650->654 661 ba595b-ba596c CloseHandle GetFileAttributesA 650->661 651->654 660 ba5912-ba5918 654->660 661->654 662 ba596e-ba5970 661->662 662->654 663 ba5972-ba597b 662->663 663->660
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00BA5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA58E7
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00BA5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5943
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00BA5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA594D
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00BA5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA595C
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00BA5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00BA5963
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$TMP4351$.TMP
                                                                                                                                                                                                                  • API String ID: 747627703-394614654
                                                                                                                                                                                                                  • Opcode ID: 47d103746410c8a5f2bd9dc6a194591e167c11b56e1060d3f90510eb0737b6f2
                                                                                                                                                                                                                  • Instruction ID: 77d182f37fe7e3a1bdcb740e2c0df31ed7e97da61f9a17398300d038ca8d8778
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47d103746410c8a5f2bd9dc6a194591e167c11b56e1060d3f90510eb0737b6f2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E11D37160821076C7345F799C4EA9B7AD9EB47360B1046A5F505E7191CF709905C6B0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3FEF Relevance: 10.6, APIs: 7, Instructions: 97processsynchronizationwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 691 ba3fef-ba4010 692 ba410a-ba411a call ba6ce0 691->692 693 ba4016-ba403b CreateProcessA 691->693 694 ba4041-ba406e WaitForSingleObject GetExitCodeProcess 693->694 695 ba40c4-ba4101 call ba6285 GetLastError FormatMessageA call ba44b9 693->695 698 ba4070-ba4077 694->698 699 ba4091 call ba411b 694->699 709 ba4106 695->709 698->699 702 ba4079-ba407b 698->702 704 ba4096-ba40b8 CloseHandle * 2 699->704 702->699 706 ba407d-ba4089 702->706 707 ba40ba-ba40c0 704->707 708 ba4108 704->708 706->699 710 ba408b 706->710 707->708 711 ba40c2 707->711 708->692 709->708 710->699 711->709
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00BA4033
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BA4049
                                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 00BA405C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BA409C
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BA40A8
                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00BA40DC
                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00BA40E9
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3183975587-0
                                                                                                                                                                                                                  • Opcode ID: 891e6586bbc7bad55d49ec898d8cf6d6c436fe7691b43a6bce265b5dbd32a544
                                                                                                                                                                                                                  • Instruction ID: 5b3719437d2aa3397f9f1b94640585e2fa73d6ac149e3ce627f2ab64ba380086
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 891e6586bbc7bad55d49ec898d8cf6d6c436fe7691b43a6bce265b5dbd32a544
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6317F71644218BBEB309B65DC4AFABB7BCEBD7710F1001AAF605E21A1CB704D85DB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00BA2F4D,?,00000002,00000000), ref: 00BA5201
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00BA5250
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                    • Part of subcall function 00BA6285: GetLastError.KERNEL32(00BA5BBC), ref: 00BA6285
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$UPROMPT
                                                                                                                                                                                                                  • API String ID: 957408736-2980973527
                                                                                                                                                                                                                  • Opcode ID: b80505dde9c0cfec0116243687b7dc7010bdc2504045a550854a764e659df09e
                                                                                                                                                                                                                  • Instruction ID: f8afdf562b056ede16b65a5f7d993e829e6d2bb6f459c99b4dfbd18729cbdf4a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b80505dde9c0cfec0116243687b7dc7010bdc2504045a550854a764e659df09e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E1190B5248701BBE7746B759C8AB3B61DDDBCB380F1044A9F642E6290DFB98C015234
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(02CC4648,00000080,?,00000000), ref: 00BA52F2
                                                                                                                                                                                                                  • DeleteFileA.KERNELBASE(02CC4648), ref: 00BA52FA
                                                                                                                                                                                                                  • LocalFree.KERNEL32(02CC4648,?,00000000), ref: 00BA5305
                                                                                                                                                                                                                  • LocalFree.KERNEL32(02CC4648), ref: 00BA530C
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(00BA11FC,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA5363
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00BA5334
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                                                                                  • API String ID: 2833751637-1610346413
                                                                                                                                                                                                                  • Opcode ID: 0762b2e7d5f15f868cff656a8f376f88a599017e93ad36364cb8f9c5a8ddc05c
                                                                                                                                                                                                                  • Instruction ID: ec9c9ed2a3442d159c4ff21cb3291cf76361aa9ee75ea5f542806e9b7400e0b6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0762b2e7d5f15f868cff656a8f376f88a599017e93ad36364cb8f9c5a8ddc05c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD218B31A08604EFDB319B24EC0AB6977F4FB43790F0401AAE843575A0DFB45E84DB94
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00BA538C,?,?,00BA538C), ref: 00BA2005
                                                                                                                                                                                                                  • RegDeleteValueA.KERNELBASE(00BA538C,wextract_cleanup2,?,?,00BA538C), ref: 00BA2017
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00BA538C,?,?,00BA538C), ref: 00BA2020
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup2
                                                                                                                                                                                                                  • API String ID: 849931509-3354236729
                                                                                                                                                                                                                  • Opcode ID: d6fdb64fab37c6690a4a6e869022ecc373280ce082bbba9b5529dbfdd6ccfb1d
                                                                                                                                                                                                                  • Instruction ID: ad28b74a5d3a2b97054037efc70edb8e9e66e1e033f40bb7f473c6f7d01f320f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6fdb64fab37c6690a4a6e869022ecc373280ce082bbba9b5529dbfdd6ccfb1d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CE04F30D54318BBD7329B90EC0BF697BA9E712740F1001D4BA04A2460EF615A14D725
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00BA4DB5
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00BA4DDD
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFileItemText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                                                                                  • API String ID: 3625706803-1610346413
                                                                                                                                                                                                                  • Opcode ID: 13bce37c930aef090a2d4c4a46d9a64d9b4038065d84e4813df55eebd70fc1df
                                                                                                                                                                                                                  • Instruction ID: b1b4675ebb43775849ea6ef3e61eef4424b1e2039c3d398264e05d9a7de104ca
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13bce37c930aef090a2d4c4a46d9a64d9b4038065d84e4813df55eebd70fc1df
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D41003620C105AACB259F38D9456BAB3E5EBC7300B0446F8E8C297295DFB1DE4AC750
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4C37 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00BA4C54
                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BA4C66
                                                                                                                                                                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00BA4C7E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Time$File$DateLocal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2071732420-0
                                                                                                                                                                                                                  • Opcode ID: 593a3e6f5fb7a60fd242074acd607d5f5164ae4c5659be977cc29d32d66e667d
                                                                                                                                                                                                                  • Instruction ID: 570fe9f3421a57df98c7611d8e7418e9426c463c8d739e0d419dbf28f09c6bb6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 593a3e6f5fb7a60fd242074acd607d5f5164ae4c5659be977cc29d32d66e667d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8F06D72605208BB9B249FA4CC49ABB7BECEB46250B44057AA819D2050FB70D914C7B0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA487A Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00BA4A23,?,00BA4F67,*MEMCAB,00008000,00000180), ref: 00BA48DE
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00BA4F67,*MEMCAB,00008000,00000180), ref: 00BA4902
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: c7bf479d35a4cba520a0e7428aaa97c8312a6971df6b981c2a8cbb0d2e4e66a0
                                                                                                                                                                                                                  • Instruction ID: 83e06cb7f3b32b81202a31bf201abb558b29d1258964a2f3db9d41cabada92ef
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7bf479d35a4cba520a0e7428aaa97c8312a6971df6b981c2a8cbb0d2e4e66a0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A0146A3E1A5703AF32440299C89FB7559CCBD7734F1B0374BDAAE76D2D6A84C0481E0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4AD0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00BA369F
                                                                                                                                                                                                                    • Part of subcall function 00BA3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA36B2
                                                                                                                                                                                                                    • Part of subcall function 00BA3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA36DA
                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00BA4B05
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1084409-0
                                                                                                                                                                                                                  • Opcode ID: 912532af5de7bdc82d4cdaac581f738e681805ee580f0b66e1219d7a9e6ebcf1
                                                                                                                                                                                                                  • Instruction ID: b0c9748d906559f71832bd1d79de594b7ccc9f552b22e055acef34b36844d80f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 912532af5de7bdc82d4cdaac581f738e681805ee580f0b66e1219d7a9e6ebcf1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34019631204201ABD7148F68EC06BA27B99F786725F148265F93AAB1E0CFB0D811D751
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA658A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(00BA8B3E,00BA8B3F,00000001,00BA8B3E,-00000003,?,00BA60EC,00BA1140,?), ref: 00BA65BA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharPrev
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 122130370-0
                                                                                                                                                                                                                  • Opcode ID: 2ec4ec30eddf286b1bd29e9c292bdc4300dfb326511f237c67f51fb5d0d2b1b8
                                                                                                                                                                                                                  • Instruction ID: a04b4e7bae7c1452d807b9f924f65d816d3ee5c22d22b0fecf473c8e2cf2ac76
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ec4ec30eddf286b1bd29e9c292bdc4300dfb326511f237c67f51fb5d0d2b1b8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F028B2A0C2549FD331491D9884B66BFDADBA7350F2C05EAE8DAC3205DA658C4583A4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA621E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BA623F
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                    • Part of subcall function 00BA6285: GetLastError.KERNEL32(00BA5BBC), ref: 00BA6285
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryErrorLastLoadMessageStringWindows
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 381621628-0
                                                                                                                                                                                                                  • Opcode ID: e8416eb07d11e1942bacddf69dd8f8117d811bed5a064ad320d99cda99f89aed
                                                                                                                                                                                                                  • Instruction ID: a79f44e5ec798eb856c4e83c53f8f7183acd94befc52463408503fef7b480179
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8416eb07d11e1942bacddf69dd8f8117d811bed5a064ad320d99cda99f89aed
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0B4B07082086BD760EB748D03BBE33ECDB55300F4000A9A985D7181EE7499448650
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4B60 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00BA4FA1,00000000), ref: 00BA4B98
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                                                                                  • Opcode ID: 441ffdaebb5afb4a9712a5fa22b6c9004553bbae2dcf7a1c68362da6cb501b28
                                                                                                                                                                                                                  • Instruction ID: bbcbf01239d2e774f1b73989c5de11ea69abed7c4e679776af6fa4ffa587f1da
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 441ffdaebb5afb4a9712a5fa22b6c9004553bbae2dcf7a1c68362da6cb501b28
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4F0FE31914B089E87718E398C01652BFE4FAF7760351093E94AEE2590EB70A455CBA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA66AE Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00BA4777,?,00BA4E38,?), ref: 00BA66B1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                  • Opcode ID: 9d4f607db151b5919c1c2caf756007f3a76ab8e3c4ca4c57dec5cd9f7c356f5f
                                                                                                                                                                                                                  • Instruction ID: 1c60ac38475876ac8ae3e87425c17b7f6cefe043bf6b72f1e65f578070b3d455
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d4f607db151b5919c1c2caf756007f3a76ab8e3c4ca4c57dec5cd9f7c356f5f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4B092B6266840426A6006756C2A5962981E6C263A7E81B90F032C11E0CF3ED846D014
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4CA0 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000000,?), ref: 00BA4CAA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3761449716-0
                                                                                                                                                                                                                  • Opcode ID: 5c43f3818cf952bf2687b0e29bbca5ca10916d1095a72dd0254f174ec2e061d5
                                                                                                                                                                                                                  • Instruction ID: c0ac29ca78d68e6c3c1a7bca2e0dd517b18930ea57b7135159876be75c96de7e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c43f3818cf952bf2687b0e29bbca5ca10916d1095a72dd0254f174ec2e061d5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28B0123204420CB7CF501FC2EC0AF857F1DE7C9761F140000F60C460508F729410C7A6
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4CC0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeGlobal
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2979337801-0
                                                                                                                                                                                                                  • Opcode ID: 293325d5911e23b76e85574b6526404d7a233a666b24a64d425a69eff0b7ac83
                                                                                                                                                                                                                  • Instruction ID: b385eec9b529a12c90d03d5a1f357237afa83043eec9e43c7c18ef7aba5b6f3a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 293325d5911e23b76e85574b6526404d7a233a666b24a64d425a69eff0b7ac83
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83B0123100010CB78F101B52EC098457F1DD6C52607000010F50C420218F339811C595
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 00BA5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharNextA.USER32(?,00000000,?,?), ref: 00BA5CEE
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00BA8B3E,00000104,00000000,?,?), ref: 00BA5DFC
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00BA5E3E
                                                                                                                                                                                                                  • CharUpperA.USER32(-00000052), ref: 00BA5EE1
                                                                                                                                                                                                                  • CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00BA5F6F
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00BA5FA7
                                                                                                                                                                                                                  • CharUpperA.USER32(-0000004E), ref: 00BA6008
                                                                                                                                                                                                                  • CharUpperA.USER32(?), ref: 00BA60AA
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00BA1140,00000000,00000040,00000000), ref: 00BA61F1
                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00BA61F8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                                                                                                                                  • String ID: "$"$:$RegServer
                                                                                                                                                                                                                  • API String ID: 1203814774-25366791
                                                                                                                                                                                                                  • Opcode ID: 628fdb9ed0a45beb9a48787a779444dc51d6119a8add70f4e3e8a46702c57092
                                                                                                                                                                                                                  • Instruction ID: a75783ba5e9266d2725d5a6dab70d00b6a262478c3d220d37f626faee9cc108f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 628fdb9ed0a45beb9a48787a779444dc51d6119a8add70f4e3e8a46702c57092
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17D114B1A0CA545EDB358B389C897FA7BE1EB27300F1840EAD4D6D7591DA718FC68B10
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94shutdownCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00BA1EFB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00BA1F02
                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00BA1FD3
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process$CurrentExitOpenTokenWindows
                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                  • API String ID: 2795981589-3733053543
                                                                                                                                                                                                                  • Opcode ID: 71a6a373884dacb181c566faf94e0866361d0ac5ed7e676703d0704ec6adc2c5
                                                                                                                                                                                                                  • Instruction ID: e0fd4e093fd7baf98818b7983a42840d0e5b6608ebd92a131d201e0bdda8e06a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71a6a373884dacb181c566faf94e0866361d0ac5ed7e676703d0704ec6adc2c5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F21D671B482457EDB705BA99C4AFBF76F8EB87B10F100859FA02E7180DB758801D271
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA6CF0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BA6E26,00BA1000), ref: 00BA6CF7
                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(00BA6E26,?,00BA6E26,00BA1000), ref: 00BA6D00
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000409,?,00BA6E26,00BA1000), ref: 00BA6D0B
                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00BA6E26,00BA1000), ref: 00BA6D12
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3231755760-0
                                                                                                                                                                                                                  • Opcode ID: 7f3309b507172d003afc3c686a3963e1be081fc77cb7cf11eeccd43de427b89d
                                                                                                                                                                                                                  • Instruction ID: a9a23e15515ab3b14a17d2d435778ad6c668e4d70bd342b62ba09f7b576a426e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f3309b507172d003afc3c686a3963e1be081fc77cb7cf11eeccd43de427b89d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7D0C932000108BBDB412BE1EC0EA593F28EB4B212F444000F319A3020CF325451CB72
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000003E8,00BA8598,00000200), ref: 00BA3271
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BA33E2
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00BA33F7
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00BA3410
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000836), ref: 00BA3426
                                                                                                                                                                                                                  • EnableWindow.USER32(00000000), ref: 00BA342D
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 00BA343F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$smo
                                                                                                                                                                                                                  • API String ID: 2418873061-1155430921
                                                                                                                                                                                                                  • Opcode ID: a94b0f2dcf16635bafe08ebcc6615ad64860cffe4a565a8c2c1e7ca7791a1870
                                                                                                                                                                                                                  • Instruction ID: 3c07bc6ce8588ce5bd12936c2392a6e92361aceab5767c87559dc97171167655
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a94b0f2dcf16635bafe08ebcc6615ad64860cffe4a565a8c2c1e7ca7791a1870
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED51F43038C2407BEB615B355C8EF7B6AD9DB8BF54F1040A8F645A72D1CFA48E02E265
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119threadwindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • TerminateThread.KERNEL32(00000000), ref: 00BA3535
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00BA3541
                                                                                                                                                                                                                  • ResetEvent.KERNEL32 ref: 00BA355F
                                                                                                                                                                                                                  • SetEvent.KERNEL32(00BA1140,00000000,00000020,00000004), ref: 00BA3590
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BA35C7
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 00BA35F1
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 00BA35F8
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000083B), ref: 00BA3610
                                                                                                                                                                                                                  • SendMessageA.USER32(00000000), ref: 00BA3617
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00BA3623
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,00BA8798), ref: 00BA3637
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 00BA3671
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 2406144884-2762499640
                                                                                                                                                                                                                  • Opcode ID: 6bc97c2eddc67d8f12dd92b35ef11f243aca1d031d11bcc6cd558564333de502
                                                                                                                                                                                                                  • Instruction ID: 9d1625836d42c95a6b192e7cab56853a6f3a0d797dfa28d3b9629873326ac4cd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bc97c2eddc67d8f12dd92b35ef11f243aca1d031d11bcc6cd558564333de502
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D031AE3124C300BBD7601F29EC4FE6A3AE8E79BF01F104569F602A72A4CF718A00DA65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00BA4236
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00BA424C
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,000000C3), ref: 00BA4263
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00BA427A
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,00BA88C0,?,00000001), ref: 00BA429F
                                                                                                                                                                                                                  • CharPrevA.USER32(00BA88C0,01751181,?,00000001), ref: 00BA42C2
                                                                                                                                                                                                                  • CharPrevA.USER32(00BA88C0,00000000,?,00000001), ref: 00BA42D6
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00BA4391
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00BA43A5
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                                                                                                                                  • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                                                                                                                  • API String ID: 1865808269-1731843650
                                                                                                                                                                                                                  • Opcode ID: 9a5a30f03aa9603343ada40fdc419a720d36b11226f8840b32422a2bd637c779
                                                                                                                                                                                                                  • Instruction ID: 6aa623bf3cb48b5afdd16d4a94ffa8673280abe7b98c5097ed39e286e18a4f32
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a5a30f03aa9603343ada40fdc419a720d36b11226f8840b32422a2bd637c779
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B41C3B4E08204AFDB119B64DC96A7EBBF4EB8B344F1401E9E941A3291CFB98C05C765
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160memorywindowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 00BA45A3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000065), ref: 00BA45E3
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000002), ref: 00BA460D
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00BA4630
                                                                                                                                                                                                                  • MessageBoxA.USER32(?,00000000,smo,00000000), ref: 00BA4666
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00BA466F
                                                                                                                                                                                                                    • Part of subcall function 00BA681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00BA686E
                                                                                                                                                                                                                    • Part of subcall function 00BA681F: GetSystemMetrics.USER32(0000004A), ref: 00BA68A7
                                                                                                                                                                                                                    • Part of subcall function 00BA681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00BA68CC
                                                                                                                                                                                                                    • Part of subcall function 00BA681F: RegQueryValueExA.ADVAPI32(?,00BA1140,00000000,?,?,0000000C), ref: 00BA68F4
                                                                                                                                                                                                                    • Part of subcall function 00BA681F: RegCloseKey.ADVAPI32(?), ref: 00BA6902
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
                                                                                                                                                                                                                  • String ID: LoadString() Error. Could not load string resource.$smo
                                                                                                                                                                                                                  • API String ID: 3244514340-2161240188
                                                                                                                                                                                                                  • Opcode ID: 911bd5efc572553918d46c859421d0f10a8fe2a5f786b5e5ea7b8256d34d2c98
                                                                                                                                                                                                                  • Instruction ID: 29a17d0170bbc0384289a6e4f23fdde1bce807e30e1812edd4ce248b340280a5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 911bd5efc572553918d46c859421d0f10a8fe2a5f786b5e5ea7b8256d34d2c98
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5151E476908215ABDB219F28CC49BAA7BE9EF87300F1445D5FD09B7241DBB1DE05CB60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharUpperA.USER32(88C731A0,00000000,00000000,00000000), ref: 00BA27A8
                                                                                                                                                                                                                  • CharNextA.USER32(0000054D), ref: 00BA27B5
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 00BA27BC
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2829
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00BA1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2852
                                                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2870
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA28A0
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 00BA28AA
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 00BA28B9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00BA27E4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                                                                                                                  • API String ID: 2659952014-2428544900
                                                                                                                                                                                                                  • Opcode ID: 58c1d9b3d1b1c15a8cd78f9a00dafefecc7e02734b9869a4f6de2bb31958721e
                                                                                                                                                                                                                  • Instruction ID: 3c1e1c1738a5947076a99cd27914ea972747f2e1cfac00d842fda7502f9a73bb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58c1d9b3d1b1c15a8cd78f9a00dafefecc7e02734b9869a4f6de2bb31958721e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C14191B1A08128ABDB259B689C86AFE77FDEF17700F0440E9F545E3110DB748E85CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00BA22A3
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000000,?,?,00000001), ref: 00BA22D8
                                                                                                                                                                                                                  • memset.MSVCRT ref: 00BA22F5
                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00BA2305
                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00BA236E
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00BA237A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • wextract_cleanup2, xrefs: 00BA227C, 00BA22CD, 00BA2363
                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00BA2299
                                                                                                                                                                                                                  • rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00BA232D
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00BA2321
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Value$CloseDirectoryOpenQuerySystemmemset
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup2
                                                                                                                                                                                                                  • API String ID: 3027380567-1720115735
                                                                                                                                                                                                                  • Opcode ID: aa9533152684645e2ae74d3441fe71334a0c3b0ad7fef212927baf669c72b975
                                                                                                                                                                                                                  • Instruction ID: 74f6bb809ec6c5b0abc78656d1e441e8c4dcbb4052fc4d2c11ad1041f8b53317
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa9533152684645e2ae74d3441fe71334a0c3b0ad7fef212927baf669c72b975
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C318471A042186BDB319B55DC49FEB7BFCEB57700F0401E9B90DA6051EE71AB88CA60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000000), ref: 00BA313B
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BA314B
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000834), ref: 00BA316A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00BA3176
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 00BA317D
                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000834), ref: 00BA3185
                                                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000FC), ref: 00BA3190
                                                                                                                                                                                                                  • SetWindowLongA.USER32(00000000,000000FC,00BA30C0), ref: 00BA31A3
                                                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00BA31CA
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 3785188418-2762499640
                                                                                                                                                                                                                  • Opcode ID: 18ecb7343ab2459082d1421d4f3e140a81eb756d60944d98af33a5c833b43d3d
                                                                                                                                                                                                                  • Instruction ID: 1321fa06c9e643cb4504faa3ea1dd0afb01eecff2f8db2c42e8935e5b1b1ca23
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18ecb7343ab2459082d1421d4f3e140a81eb756d60944d98af33a5c833b43d3d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA11B13164C211BBDB215F64DC0EBAA3AE4EB4BB20F104661F815B25E0DFB48A51C7A2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA18A3 Relevance: 16.6, APIs: 11, Instructions: 112memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00BA18DD), ref: 00BA181A
                                                                                                                                                                                                                    • Part of subcall function 00BA17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00BA182C
                                                                                                                                                                                                                    • Part of subcall function 00BA17EE: AllocateAndInitializeSid.ADVAPI32(00BA18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BA18DD), ref: 00BA1855
                                                                                                                                                                                                                    • Part of subcall function 00BA17EE: FreeSid.ADVAPI32(?,?,?,?,00BA18DD), ref: 00BA1883
                                                                                                                                                                                                                    • Part of subcall function 00BA17EE: FreeLibrary.KERNEL32(00000000,?,?,?,00BA18DD), ref: 00BA188A
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00BA18EB
                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00BA18F2
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00BA190A
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BA1918
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,?,?), ref: 00BA192C
                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00BA1944
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BA1964
                                                                                                                                                                                                                  • EqualSid.ADVAPI32(00000004,?), ref: 00BA197A
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00BA199C
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00BA19A3
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BA19AD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2168512254-0
                                                                                                                                                                                                                  • Opcode ID: 739f43e13af01b18d39323f49d0aa4ed7ab2444d4785b8ab1e51eeabacc6e6f7
                                                                                                                                                                                                                  • Instruction ID: f301f6b5fc7e758ac2b89348f9142703bef080915ed7781f76fd09a66a75a97b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 739f43e13af01b18d39323f49d0aa4ed7ab2444d4785b8ab1e51eeabacc6e6f7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C312D71A04209AFDB609FA9DC99ABFBBFDFF0A700F100865E545E2150DB309906CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                  • memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                                                                                                                                  • String ID: TITLE$smo
                                                                                                                                                                                                                  • API String ID: 3370778649-3033500379
                                                                                                                                                                                                                  • Opcode ID: 1e219cf3cb46aeaf51373e34024900191b0f22472df65fec3c70f08c1505b967
                                                                                                                                                                                                                  • Instruction ID: 2afffdf24b676237cc362bac5c3875ec3ce8ae96c99c42de12e82027de4fb72c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e219cf3cb46aeaf51373e34024900191b0f22472df65fec3c70f08c1505b967
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A60186362442107BE3201BA95C4EF7B7E6CDBC7B52F044054FA4A97150CFA18845C6B6
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71librarymemoryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00BA18DD), ref: 00BA181A
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00BA182C
                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(00BA18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BA18DD), ref: 00BA1855
                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?,?,?,?,00BA18DD), ref: 00BA1883
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00BA18DD), ref: 00BA188A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                                                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                                  • API String ID: 4204503880-1888249752
                                                                                                                                                                                                                  • Opcode ID: ecc74d5de9b367acbfb959f0d9308b30aa300414790738f9ec1cb649f61adc32
                                                                                                                                                                                                                  • Instruction ID: daa609075922c8e4c8cda6abafa1f65f23e8dba425c96fefa8c764534507c4d0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecc74d5de9b367acbfb959f0d9308b30aa300414790738f9ec1cb649f61adc32
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4411B975E00209AFDB109FA4DC4AABEBBB8EF46710F100569F901E3290DF309D04C7A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00BA3490
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BA349A
                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,smo), ref: 00BA34B2
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,00000838), ref: 00BA34C4
                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 00BA34CB
                                                                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00BA34D8
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$DialogText$DesktopForegroundItem
                                                                                                                                                                                                                  • String ID: smo
                                                                                                                                                                                                                  • API String ID: 852535152-2762499640
                                                                                                                                                                                                                  • Opcode ID: b516f76276cead0ecc8de019fd6789182bf12e28bfd389a59ef7e887a389b081
                                                                                                                                                                                                                  • Instruction ID: 2dff8ae086a49fa931bbcf461588f1138587653a30a33dbfe24236818cc36550
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b516f76276cead0ecc8de019fd6789182bf12e28bfd389a59ef7e887a389b081
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F01B131248114BBD7265F69DC0D9AD3AE4EB0FB40F104050F946A76A0CF748F42DB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA2AAC Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00BA2AE6
                                                                                                                                                                                                                  • IsDBCSLeadByte.KERNEL32(00000000), ref: 00BA2AF2
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00BA2B12
                                                                                                                                                                                                                  • CharUpperA.USER32 ref: 00BA2B1E
                                                                                                                                                                                                                  • CharPrevA.USER32(?,?), ref: 00BA2B55
                                                                                                                                                                                                                  • CharNextA.USER32(?), ref: 00BA2BD4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 571164536-0
                                                                                                                                                                                                                  • Opcode ID: 33bb4cee6c823e764ccc1f0392dc63d2e9d460b7b82a07bf166556116b0a3e7a
                                                                                                                                                                                                                  • Instruction ID: bd5973b0e1d83b057fb562dad6ca1dcf9b6414bee9b877b201aa89a0b17fa644
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33bb4cee6c823e764ccc1f0392dc63d2e9d460b7b82a07bf166556116b0a3e7a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A941BF346082456FDB269F289854AFD7BE9DF57310F5400DAE88297242DF358E86CB71
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA43D0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00BA43F1
                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00BA440B
                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00BA4423
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00BA442E
                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00BA443A
                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00BA4447
                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001,?), ref: 00BA44A2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Window$CapsDeviceRect$Release
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2212493051-0
                                                                                                                                                                                                                  • Opcode ID: b63d0b54c19d5ca6307c551ed4fec3c8271542257091a65a54467872fa13ffce
                                                                                                                                                                                                                  • Instruction ID: cb10aafdbbb663f4c6ac9a7301e63dfbfadcac7ad88170393ad414ebdfcde993
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b63d0b54c19d5ca6307c551ed4fec3c8271542257091a65a54467872fa13ffce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF31E872E00119AFCB14CFB8DD899EEBBB5EB8A310F154169E905B7250EF70AD05CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA171E: _vsnprintf.MSVCRT ref: 00BA1750
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00BA51CA,00000004,00000024,00BA2F71,?,00000002,00000000), ref: 00BA62CD
                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00BA51CA,00000004,00000024,00BA2F71,?,00000002,00000000), ref: 00BA62D4
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00BA51CA,00000004,00000024,00BA2F71,?,00000002,00000000), ref: 00BA631B
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00BA6345
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00BA51CA,00000004,00000024,00BA2F71,?,00000002,00000000), ref: 00BA6357
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                                                                                                                                                  • String ID: UPDFILE%lu
                                                                                                                                                                                                                  • API String ID: 2922116661-2329316264
                                                                                                                                                                                                                  • Opcode ID: 580a6c8dba6f11a5c86d55c6e6c1ec670756dea9e42a0886a95463ea190cd635
                                                                                                                                                                                                                  • Instruction ID: 9cba69a4691fd80dcff13b01423e023877c021706fd26dd9835015655f86dc23
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 580a6c8dba6f11a5c86d55c6e6c1ec670756dea9e42a0886a95463ea190cd635
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5721F6B5A04219AFDF109F68CC469BFBBF8FB4A710B040169F902A3251DB359D06CBE4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00BA686E
                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000004A), ref: 00BA68A7
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00BA68CC
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00BA1140,00000000,?,?,0000000C), ref: 00BA68F4
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00BA6902
                                                                                                                                                                                                                    • Part of subcall function 00BA66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00BA691A), ref: 00BA6741
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • Control Panel\Desktop\ResourceLocale, xrefs: 00BA68C2
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                                                                                                                  • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                                                                                                                                  • API String ID: 3346862599-1109908249
                                                                                                                                                                                                                  • Opcode ID: 13f8990784a9a7c360844c0bc1ef79a8f350b2fdde2edc5305712f30011a9d18
                                                                                                                                                                                                                  • Instruction ID: 2c5791b2639cbc0448749ff28384bc01777d4b392f015ff0e4e07725db4abd05
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13f8990784a9a7c360844c0bc1ef79a8f350b2fdde2edc5305712f30011a9d18
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF314FB1A042189FDB318B15CC45BABB7F9EB8B764F0801E9E949A3150DB309985CB52
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memorystringCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00BA2F64,?,00000002,00000000), ref: 00BA3A5D
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00BA3AB3
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                    • Part of subcall function 00BA6285: GetLastError.KERNEL32(00BA5BBC), ref: 00BA6285
                                                                                                                                                                                                                  • lstrcmpA.KERNEL32(<None>,00000000), ref: 00BA3AD0
                                                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00BA3B13
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: FindResourceA.KERNEL32(00BA0000,000007D6,00000005), ref: 00BA652A
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: LoadResource.KERNEL32(00BA0000,00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00BA6538
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: DialogBoxIndirectParamA.USER32(00BA0000,00000000,00000547,00BA19E0,00000000), ref: 00BA6557
                                                                                                                                                                                                                    • Part of subcall function 00BA6517: FreeResource.KERNEL32(00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00BA6560
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00BA3100,00000000,00000000), ref: 00BA3AF4
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$LICENSE
                                                                                                                                                                                                                  • API String ID: 2414642746-383193767
                                                                                                                                                                                                                  • Opcode ID: 95e25a10dcbcdb4a14e75acb746df80dac72254f0ecc9bba3be2dba57be578d2
                                                                                                                                                                                                                  • Instruction ID: 1a21488c17b3371ccfc821f2ba6fd9f040e97122bc1927f26d4092f122652462
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95e25a10dcbcdb4a14e75acb746df80dac72254f0ecc9bba3be2dba57be578d2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD1187713082117BD7206F76DC0AF1B7AE9DBDBB00B10447EB545E75A1DFB988009664
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00BA2506
                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00BA252C
                                                                                                                                                                                                                  • _lopen.KERNEL32(?,00000040), ref: 00BA253B
                                                                                                                                                                                                                  • _llseek.KERNEL32(00000000,00000000,00000002), ref: 00BA254C
                                                                                                                                                                                                                  • _lclose.KERNEL32(00000000), ref: 00BA2555
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                                                                                                                                  • String ID: wininit.ini
                                                                                                                                                                                                                  • API String ID: 3273605193-4206010578
                                                                                                                                                                                                                  • Opcode ID: adf76f48b55363503095b321be08d1ded1b5d152310ecfe2b9242a9257cb5083
                                                                                                                                                                                                                  • Instruction ID: b6130952a87db95a0b171adc3c3f2e9d166c663c25b30765ef65c8529a130003
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: adf76f48b55363503095b321be08d1ded1b5d152310ecfe2b9242a9257cb5083
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13015E32A041186BC7309B69DC4AEDFBBBDEB97760F000195FA49D3190DF748E45CAA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00BA3723
                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00BA39C3
                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,smo,00000030), ref: 00BA39F1
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$BeepVersion
                                                                                                                                                                                                                  • String ID: 3$smo
                                                                                                                                                                                                                  • API String ID: 2519184315-1411035656
                                                                                                                                                                                                                  • Opcode ID: 090d0d2138081f59fd8c60537a159460d2d0d55facc083d0ef3ac4247587e8c1
                                                                                                                                                                                                                  • Instruction ID: e70555d6f461c03b6ac2d1780adb3aadfb93fd476dfbf16c6cdcc6fe9210be06
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 090d0d2138081f59fd8c60537a159460d2d0d55facc083d0ef3ac4247587e8c1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF91C2B1F092249BEB758F14CD81BAA77E0EB47B04F1541EAF84AA7251DB748F81CB41
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00BA64DF
                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00BA64F9
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00BA6502
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad$AttributesFile
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$advpack.dll
                                                                                                                                                                                                                  • API String ID: 438848745-3736221019
                                                                                                                                                                                                                  • Opcode ID: 7cbaaacc8f159c5121fba3d631515b0e71aef80236451e45f728c81bf7712f47
                                                                                                                                                                                                                  • Instruction ID: bd53e2ebc7e892e27082c9f70d7de2c6b8056a84e3509d957f7d2741ee384339
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cbaaacc8f159c5121fba3d631515b0e71aef80236451e45f728c81bf7712f47
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 790181B1E08108BFDB64DB64DC4AAEA77B8EB67310F5001D5F585A31D0DF70AE8ACA51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA28E8 Relevance: 7.6, APIs: 5, Instructions: 140memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00BA2A6F
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: CharUpperA.USER32(88C731A0,00000000,00000000,00000000), ref: 00BA27A8
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: CharNextA.USER32(0000054D), ref: 00BA27B5
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: CharNextA.USER32(00000000), ref: 00BA27BC
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2829
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: RegQueryValueExA.ADVAPI32(?,00BA1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2852
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA2870
                                                                                                                                                                                                                    • Part of subcall function 00BA2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00BA28A0
                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00BA3938,?,?,?,?,-00000005), ref: 00BA2958
                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BA3938,?,?,?,?,-00000005,?), ref: 00BA2969
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BA3938,?,?,?,?,-00000005,?), ref: 00BA2A21
                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00BA2A81
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3949799724-0
                                                                                                                                                                                                                  • Opcode ID: e89aa65f11ee353bff024ece6456c03a899ea2e7aba7d344d3e4d48fcc63df7a
                                                                                                                                                                                                                  • Instruction ID: 1c75436af4f6b4e93664067fa3a837246e8d51255b2a5dc7fb06986662496870
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e89aa65f11ee353bff024ece6456c03a899ea2e7aba7d344d3e4d48fcc63df7a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B510831E04219DFCB21DF98D985AAEFBF5FF49700F1441AAE915E3221DB319A41DBA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46A0
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: SizeofResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46A9
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00BA46C3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LoadResource.KERNEL32(00000000,00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46CC
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: LockResource.KERNEL32(00000000,?,00BA2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46D3
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: memcpy_s.MSVCRT ref: 00BA46E5
                                                                                                                                                                                                                    • Part of subcall function 00BA468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00BA46EF
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00BA30B4), ref: 00BA4189
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00BA30B4), ref: 00BA41E7
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                                                                                                                                  • String ID: <None>$FINISHMSG
                                                                                                                                                                                                                  • API String ID: 3507850446-3091758298
                                                                                                                                                                                                                  • Opcode ID: 7108e6cbe932b9f03df45f8b6ab814a8c2eb95c8f3ac9ed9d1fef2e92e5dcc2c
                                                                                                                                                                                                                  • Instruction ID: 362d1727b2fd62c37662170b82c66228000962ac4c2eadb770ac19cbef99b0b8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7108e6cbe932b9f03df45f8b6ab814a8c2eb95c8f3ac9ed9d1fef2e92e5dcc2c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4301A4B53082247BF7241A698C86F7B69CEDBDB795F1044A5B705F26809FE8CC0141B9
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA19E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00BA1A18
                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BA1A24
                                                                                                                                                                                                                  • LoadStringA.USER32(?,?,00000200), ref: 00BA1A4F
                                                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00BA1A62
                                                                                                                                                                                                                  • MessageBeep.USER32(000000FF), ref: 00BA1A6A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1273765764-0
                                                                                                                                                                                                                  • Opcode ID: 1c46d44dbd5713e63e171fdd456aa3997463aae92b57d486b1dc9b0fbf5806e1
                                                                                                                                                                                                                  • Instruction ID: 171c1466b2204d1fdd98c2624099feb6a8815ba9277b45c3713894b0a0aa7dde
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c46d44dbd5713e63e171fdd456aa3997463aae92b57d486b1dc9b0fbf5806e1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C118E31605109ABDB50EF68DD09AAE77F8EB4B310F1085A5E922E3190DF309E01DBA5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA7155 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00BA7182
                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00BA7191
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BA719A
                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00BA71A3
                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00BA71B8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                                                                                  • Opcode ID: f87a382e922a5b9dee71f860e704e6b4b73cee7540fb7d49ba282896b7161a59
                                                                                                                                                                                                                  • Instruction ID: f40276233130a4f10e89596ee96103655b3553313bbd5453ab36cc2c9a5fba27
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f87a382e922a5b9dee71f860e704e6b4b73cee7540fb7d49ba282896b7161a59
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02110671D09208EBCB10DFB8DA59A9EB7F4FF4A315F6148A6E905E7210EF349A04CB51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA642D
                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA645B
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00BA647A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00BA63EB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                                                                                  • API String ID: 1065093856-1610346413
                                                                                                                                                                                                                  • Opcode ID: f3c4927edb51b33ddf5d56b4c23d701ab813a7d014b20b265846ee4be0067868
                                                                                                                                                                                                                  • Instruction ID: 828189ddcd09ebf1bbef1ba7f7cb41587dea0f9d7882e74543a8296591d96c64
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3c4927edb51b33ddf5d56b4c23d701ab813a7d014b20b265846ee4be0067868
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A221C3B1A04218AFD720DF25DC86FEB77A8EB4A314F0041A9A595A3280DFB05D848FA4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00BA4E6F), ref: 00BA47EA
                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BA4823
                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00BA4847
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00BA4518
                                                                                                                                                                                                                    • Part of subcall function 00BA44B9: MessageBoxA.USER32(?,?,smo,00010010), ref: 00BA4554
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00BA4851
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Local$Alloc$FreeLoadMessageString
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
                                                                                                                                                                                                                  • API String ID: 359063898-1610346413
                                                                                                                                                                                                                  • Opcode ID: 54f65150fe726489291395aaa83a31c3f3f43d12c601286c8d794b92da551f27
                                                                                                                                                                                                                  • Instruction ID: fd6163579a374839c10f80ba5cf1f8aae7bd4ee8cabfb151d267635e8fb4db26
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54f65150fe726489291395aaa83a31c3f3f43d12c601286c8d794b92da551f27
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 601102796086416FD7248F34AC59F723B9AEBC7300B048599EA829B341DFB98C06C760
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA3680 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00BA369F
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA36B2
                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00BA36CB
                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA36DA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2776232527-0
                                                                                                                                                                                                                  • Opcode ID: b9e40fcb9e016d793c58b7a2a44af0c08de6e2d38db49c5f49651945bd9ddfdb
                                                                                                                                                                                                                  • Instruction ID: 4f9c6c405e341da2d9b6607a96c70e79557aced52283211c2a2535b68b556cad
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9e40fcb9e016d793c58b7a2a44af0c08de6e2d38db49c5f49651945bd9ddfdb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B0184729082147BDB304BAA5C49EEF76FCEB87F10F140159F905E2180DA608A44C670
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA6517 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00BA0000,000007D6,00000005), ref: 00BA652A
                                                                                                                                                                                                                  • LoadResource.KERNEL32(00BA0000,00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00BA6538
                                                                                                                                                                                                                  • DialogBoxIndirectParamA.USER32(00BA0000,00000000,00000547,00BA19E0,00000000), ref: 00BA6557
                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,?,?,00BA2EE8,00000000,00BA19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00BA6560
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1214682469-0
                                                                                                                                                                                                                  • Opcode ID: 5353bfbaf41a428be659111141ed8c2b2f77c3e981dc5af8cf8a775a89fd81cb
                                                                                                                                                                                                                  • Instruction ID: c57f24b760cb573bcc4b5b35ed8b791e61a89b31682562bc060542e292291bdc
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5353bfbaf41a428be659111141ed8c2b2f77c3e981dc5af8cf8a775a89fd81cb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 460149B2500209BBCB205FA99C49DBB7BADEB9B760F080165FE00A3190DF71CC10D6B1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA65E8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00BA2B33), ref: 00BA6602
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00BA6612
                                                                                                                                                                                                                  • CharPrevA.USER32(?,00000000), ref: 00BA6629
                                                                                                                                                                                                                  • CharNextA.USER32(00000000), ref: 00BA6635
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Char$Prev$Next
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3260447230-0
                                                                                                                                                                                                                  • Opcode ID: 2439bfae37ef98ee4c81c2e775db15a6dd5d5300b10f93861893b5d87320a227
                                                                                                                                                                                                                  • Instruction ID: 8ebe74f98b56d4451a0edf428e6b5641786e72dd197d7235792fef8d69912f18
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2439bfae37ef98ee4c81c2e775db15a6dd5d5300b10f93861893b5d87320a227
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6F0F4B25081507EE7321B2C8C889FBBFDCCB87254B2D01EFE49193001DB250D06C671
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00BA69B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 00BA6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00BA6FC5
                                                                                                                                                                                                                  • __set_app_type.MSVCRT ref: 00BA69C2
                                                                                                                                                                                                                  • __p__fmode.MSVCRT ref: 00BA69D8
                                                                                                                                                                                                                  • __p__commode.MSVCRT ref: 00BA69E6
                                                                                                                                                                                                                  • __setusermatherr.MSVCRT ref: 00BA6A07
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000002.00000002.2584327656.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584302635.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584354562.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000002.00000002.2584382522.0000000000BAC000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_ba0000_BC5tT98.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1632413811-0
                                                                                                                                                                                                                  • Opcode ID: 8ec1f06afad76a29c45170682a43eed9203651d63911bf7be7ae775f84d0c63c
                                                                                                                                                                                                                  • Instruction ID: dc6d8c562dd48eb2425b58c5ff169e07fd16601c18be6f06964cb2bbd224ed58
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ec1f06afad76a29c45170682a43eed9203651d63911bf7be7ae775f84d0c63c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF015B094C301AFC768AB30ED1B7083BE1FB07331B110689E862976F0DF3A8565CA21
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:7.2%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                  Signature Coverage:0.9%
                                                                                                                                                                                                                  Total number of Nodes:1528
                                                                                                                                                                                                                  Total number of Limit Nodes:21
                                                                                                                                                                                                                  execution_graph 19825 9141a 19830 926c2 19825->19830 19827 9142d 19834 91ad4 19827->19834 19831 926ce __EH_prolog3 19830->19831 19837 9301b 19831->19837 19833 9272a std::ios_base::_Init 19833->19827 20661 91aa7 19834->20661 19846 92c3d 19837->19846 19839 93026 19854 86a90 19839->19854 19841 93039 19842 93053 19841->19842 19858 85570 19841->19858 19843 9305f 19842->19843 19868 968f0 19842->19868 19843->19833 19847 92c49 __EH_prolog3 19846->19847 19848 85570 std::ios_base::_Init 58 API calls 19847->19848 19849 92c7a 19848->19849 19873 91683 19849->19873 19853 92c92 std::ios_base::_Init 19853->19839 19855 86ad7 19854->19855 20301 83a50 19855->20301 19857 86aed std::ios_base::_Ios_base_dtor 19857->19841 19859 855a9 19858->19859 19860 85651 19858->19860 19861 97930 CallUnexpected RaiseException 19859->19861 19862 855c9 19859->19862 19860->19842 19861->19862 20509 85660 19862->20509 19864 85624 20512 856a0 19864->20512 19867 97930 CallUnexpected RaiseException 19867->19860 19869 94d11 std::_Lockit::_Lockit 7 API calls 19868->19869 19870 96900 19869->19870 19871 94d69 std::_Lockit::~_Lockit 2 API calls 19870->19871 19872 9693e 19871->19872 19872->19843 19875 91688 19873->19875 19876 916a2 19875->19876 19878 916a4 std::ios_base::_Init 19875->19878 19895 9ae7b 19875->19895 19902 9adf2 19875->19902 19876->19853 19883 94f0c 19876->19883 19882 91d91 std::ios_base::_Init 19878->19882 19905 97930 19878->19905 19879 97930 CallUnexpected RaiseException 19881 91dae 19879->19881 19882->19879 19884 94f18 __EH_prolog3 19883->19884 20014 94d11 19884->20014 19889 94f36 20026 95094 19889->20026 19890 94f94 std::ios_base::_Init 19890->19853 19894 94f54 20036 94d69 19894->20036 19900 a174b __Getctype 19895->19900 19896 a1789 19908 9fe49 19896->19908 19898 a1774 RtlAllocateHeap 19899 a1787 19898->19899 19898->19900 19899->19875 19900->19896 19900->19898 19901 9adf2 std::ios_base::_Init 2 API calls 19900->19901 19901->19900 20003 9ae1f 19902->20003 19906 97977 RaiseException 19905->19906 19907 9794a 19905->19907 19906->19882 19907->19906 19911 a1271 GetLastError 19908->19911 19910 9fe4e 19910->19899 19912 a128d 19911->19912 19913 a1287 19911->19913 19917 a1291 SetLastError 19912->19917 19939 a3334 19912->19939 19934 a32f5 19913->19934 19917->19910 19921 a12c6 19923 a3334 __Getctype 6 API calls 19921->19923 19922 a12d7 19924 a3334 __Getctype 6 API calls 19922->19924 19932 a12d4 19923->19932 19925 a12e3 19924->19925 19926 a12fe 19925->19926 19927 a12e7 19925->19927 19957 a0f4e 19926->19957 19929 a3334 __Getctype 6 API calls 19927->19929 19929->19932 19951 a140b 19932->19951 19933 a140b ___free_lconv_mon 12 API calls 19933->19917 19962 a30e4 19934->19962 19937 a331a 19937->19912 19938 a332c TlsGetValue 19940 a30e4 __Getctype 5 API calls 19939->19940 19941 a3350 19940->19941 19942 a12a9 19941->19942 19943 a336e TlsSetValue 19941->19943 19942->19917 19944 a17ca 19942->19944 19945 a17d7 __Getctype 19944->19945 19946 a1817 19945->19946 19947 a1802 RtlAllocateHeap 19945->19947 19950 9adf2 std::ios_base::_Init 2 API calls 19945->19950 19949 9fe49 __dosmaperr 13 API calls 19946->19949 19947->19945 19948 a12be 19947->19948 19948->19921 19948->19922 19949->19948 19950->19945 19952 a1440 19951->19952 19953 a1416 HeapFree 19951->19953 19952->19917 19953->19952 19954 a142b GetLastError 19953->19954 19955 a1438 __dosmaperr 19954->19955 19956 9fe49 __dosmaperr 12 API calls 19955->19956 19956->19952 19977 a0de2 19957->19977 19963 a310e 19962->19963 19964 a3112 19962->19964 19963->19937 19963->19938 19964->19963 19969 a3019 19964->19969 19967 a312c GetProcAddress 19967->19963 19968 a313c __Getctype 19967->19968 19968->19963 19975 a302a ___vcrt_FlsSetValue 19969->19975 19970 a30c0 19970->19963 19970->19967 19971 a3048 LoadLibraryExW 19972 a3063 GetLastError 19971->19972 19973 a30c7 19971->19973 19972->19975 19973->19970 19974 a30d9 FreeLibrary 19973->19974 19974->19970 19975->19970 19975->19971 19976 a3096 LoadLibraryExW 19975->19976 19976->19973 19976->19975 19978 a0dee ___scrt_is_nonwritable_in_current_image 19977->19978 19991 9f438 EnterCriticalSection 19978->19991 19980 a0df8 19992 a0e28 19980->19992 19983 a0ef4 19984 a0f00 ___scrt_is_nonwritable_in_current_image 19983->19984 19995 9f438 EnterCriticalSection 19984->19995 19986 a0f0a 19996 a10d5 19986->19996 19988 a0f22 20000 a0f42 19988->20000 19991->19980 19993 9f480 std::_Lockit::~_Lockit LeaveCriticalSection 19992->19993 19994 a0e16 19993->19994 19994->19983 19995->19986 19997 a10e4 __Getctype 19996->19997 19999 a110b __Getctype 19996->19999 19998 a4bec __Getctype 14 API calls 19997->19998 19997->19999 19998->19999 19999->19988 20001 9f480 std::_Lockit::~_Lockit LeaveCriticalSection 20000->20001 20002 a0f30 20001->20002 20002->19933 20004 9ae2b ___scrt_is_nonwritable_in_current_image 20003->20004 20009 9f438 EnterCriticalSection 20004->20009 20006 9ae36 20010 9ae72 20006->20010 20009->20006 20013 9f480 LeaveCriticalSection 20010->20013 20012 9adfd 20012->19875 20013->20012 20015 94d20 20014->20015 20016 94d27 20014->20016 20043 9f497 20015->20043 20018 94d25 20016->20018 20048 96d57 EnterCriticalSection 20016->20048 20018->19894 20020 95071 20018->20020 20021 91683 std::ios_base::_Init 16 API calls 20020->20021 20022 9507c 20021->20022 20023 95090 20022->20023 20100 94da0 20022->20100 20023->19889 20027 950a0 20026->20027 20028 94f3e 20026->20028 20103 96a98 20027->20103 20030 94e64 20028->20030 20031 94e72 20030->20031 20035 94e9d codecvt 20030->20035 20032 94e7e 20031->20032 20296 9ad48 20031->20296 20034 9ae7b _Yarn 15 API calls 20032->20034 20032->20035 20034->20035 20035->19894 20037 94d73 20036->20037 20038 9f4a5 20036->20038 20039 94d86 20037->20039 20299 96d65 LeaveCriticalSection 20037->20299 20300 9f480 LeaveCriticalSection 20038->20300 20039->19890 20042 9f4ac 20042->19890 20049 a354c 20043->20049 20048->20018 20070 a2ef8 20049->20070 20069 a357e 20069->20069 20071 a30e4 __Getctype 5 API calls 20070->20071 20072 a2f0e 20071->20072 20073 a2f12 20072->20073 20074 a30e4 __Getctype 5 API calls 20073->20074 20075 a2f28 20074->20075 20076 a2f2c 20075->20076 20077 a30e4 __Getctype 5 API calls 20076->20077 20078 a2f42 20077->20078 20079 a2f46 20078->20079 20080 a30e4 __Getctype 5 API calls 20079->20080 20081 a2f5c 20080->20081 20082 a2f60 20081->20082 20083 a30e4 __Getctype 5 API calls 20082->20083 20084 a2f76 20083->20084 20085 a2f7a 20084->20085 20086 a30e4 __Getctype 5 API calls 20085->20086 20087 a2f90 20086->20087 20088 a2f94 20087->20088 20089 a30e4 __Getctype 5 API calls 20088->20089 20090 a2faa 20089->20090 20091 a2fae 20090->20091 20092 a30e4 __Getctype 5 API calls 20091->20092 20093 a2fc4 20092->20093 20094 a2fe2 20093->20094 20095 a30e4 __Getctype 5 API calls 20094->20095 20096 a2ff8 20095->20096 20097 a2fc8 20096->20097 20098 a30e4 __Getctype 5 API calls 20097->20098 20099 a2fde 20098->20099 20099->20069 20101 94e64 _Yarn 15 API calls 20100->20101 20102 94dda 20101->20102 20102->19889 20104 96aa8 EncodePointer 20103->20104 20105 9ad9f 20103->20105 20104->20028 20104->20105 20116 a1513 20105->20116 20108 9adaf 20110 9adb9 IsProcessorFeaturePresent 20108->20110 20111 9add8 20108->20111 20112 9adc5 20110->20112 20157 9b2ff 20111->20157 20151 9aaeb 20112->20151 20160 a1445 20116->20160 20119 a1558 20120 a1564 ___scrt_is_nonwritable_in_current_image 20119->20120 20121 a1271 __dosmaperr 14 API calls 20120->20121 20124 a1591 CallUnexpected 20120->20124 20127 a158b CallUnexpected 20120->20127 20121->20127 20122 a15d8 20123 9fe49 __dosmaperr 14 API calls 20122->20123 20125 a15dd 20123->20125 20126 a1604 20124->20126 20174 9f438 EnterCriticalSection 20124->20174 20171 9ace7 20125->20171 20131 a1646 20126->20131 20132 a1737 20126->20132 20142 a1675 20126->20142 20127->20122 20127->20124 20150 a15c2 20127->20150 20131->20142 20175 a1120 GetLastError 20131->20175 20134 a1742 20132->20134 20206 9f480 LeaveCriticalSection 20132->20206 20136 9b2ff CallUnexpected 23 API calls 20134->20136 20147 a174a __Getctype 20136->20147 20138 a1120 __Getctype 41 API calls 20146 a16ca 20138->20146 20140 a1789 20143 9fe49 __dosmaperr 14 API calls 20140->20143 20141 a1120 __Getctype 41 API calls 20141->20142 20202 a16e4 20142->20202 20145 a1787 20143->20145 20144 a1774 RtlAllocateHeap 20144->20145 20144->20147 20145->20108 20148 a1120 __Getctype 41 API calls 20146->20148 20146->20150 20147->20140 20147->20144 20149 9adf2 std::ios_base::_Init 2 API calls 20147->20149 20148->20150 20149->20147 20150->20108 20152 9ab07 CallUnexpected codecvt 20151->20152 20153 9ab33 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20152->20153 20154 9ac04 CallUnexpected 20153->20154 20240 9231c 20154->20240 20156 9ac22 20156->20111 20248 9b123 20157->20248 20161 a1451 ___scrt_is_nonwritable_in_current_image 20160->20161 20166 9f438 EnterCriticalSection 20161->20166 20163 a145f 20167 a149d 20163->20167 20166->20163 20170 9f480 LeaveCriticalSection 20167->20170 20169 9ada4 20169->20108 20169->20119 20170->20169 20207 9ac33 20171->20207 20174->20126 20176 a113c 20175->20176 20177 a1136 20175->20177 20179 a3334 __Getctype 6 API calls 20176->20179 20181 a1140 SetLastError 20176->20181 20178 a32f5 __Getctype 6 API calls 20177->20178 20178->20176 20180 a1158 20179->20180 20180->20181 20182 a17ca __Getctype 14 API calls 20180->20182 20185 a11d0 20181->20185 20186 a11d5 20181->20186 20184 a116d 20182->20184 20187 a1186 20184->20187 20188 a1175 20184->20188 20185->20141 20228 9ad9f 20186->20228 20191 a3334 __Getctype 6 API calls 20187->20191 20190 a3334 __Getctype 6 API calls 20188->20190 20193 a1183 20190->20193 20194 a1192 20191->20194 20198 a140b ___free_lconv_mon 14 API calls 20193->20198 20195 a11ad 20194->20195 20196 a1196 20194->20196 20199 a0f4e __Getctype 14 API calls 20195->20199 20197 a3334 __Getctype 6 API calls 20196->20197 20197->20193 20198->20181 20200 a11b8 20199->20200 20201 a140b ___free_lconv_mon 14 API calls 20200->20201 20201->20181 20203 a16ea 20202->20203 20204 a16bb 20202->20204 20239 9f480 LeaveCriticalSection 20203->20239 20204->20138 20204->20146 20204->20150 20206->20134 20208 9ac45 _Fputc 20207->20208 20213 9ac6a 20208->20213 20214 9ac7a 20213->20214 20215 9ac81 20213->20215 20216 9aa88 _Fputc 16 API calls 20214->20216 20217 9aa5f _Fputc GetLastError SetLastError 20215->20217 20220 9ac5d 20215->20220 20216->20215 20218 9acb6 20217->20218 20219 9ad14 __Getctype 11 API calls 20218->20219 20218->20220 20221 9ace6 20219->20221 20222 9aa23 20220->20222 20223 9aa2f 20222->20223 20224 9aace _Fputc 42 API calls 20223->20224 20226 9aa46 20223->20226 20224->20226 20225 9aa59 20225->20150 20226->20225 20227 9aace _Fputc 42 API calls 20226->20227 20227->20225 20229 a1513 CallUnexpected 2 API calls 20228->20229 20230 9ada4 20229->20230 20231 a1558 CallUnexpected 41 API calls 20230->20231 20233 9adaf 20230->20233 20231->20233 20232 9adb9 IsProcessorFeaturePresent 20234 9adc5 20232->20234 20233->20232 20238 9add8 20233->20238 20236 9aaeb CallUnexpected 8 API calls 20234->20236 20235 9b2ff CallUnexpected 23 API calls 20237 9ade2 20235->20237 20236->20238 20238->20235 20239->20204 20241 92325 IsProcessorFeaturePresent 20240->20241 20242 92324 20240->20242 20244 92367 20241->20244 20242->20156 20247 9232a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20244->20247 20246 9244a 20246->20156 20247->20246 20249 9b150 20248->20249 20250 9b162 20248->20250 20275 9b1eb GetModuleHandleW 20249->20275 20260 9afcc 20250->20260 20255 9ade2 20255->20028 20258 9b1b4 20261 9afd8 ___scrt_is_nonwritable_in_current_image 20260->20261 20283 9f438 EnterCriticalSection 20261->20283 20263 9afe2 20284 9b038 20263->20284 20265 9afef 20288 9b00d 20265->20288 20268 9b1ba 20291 9b22e 20268->20291 20271 9b1d8 20273 9b250 CallUnexpected 3 API calls 20271->20273 20272 9b1c8 GetCurrentProcess TerminateProcess 20272->20271 20274 9b1e0 ExitProcess 20273->20274 20276 9b155 20275->20276 20276->20250 20277 9b250 GetModuleHandleExW 20276->20277 20278 9b28f GetProcAddress 20277->20278 20279 9b2b0 20277->20279 20278->20279 20282 9b2a3 20278->20282 20280 9b161 20279->20280 20281 9b2b6 FreeLibrary 20279->20281 20280->20250 20281->20280 20282->20279 20283->20263 20285 9b044 ___scrt_is_nonwritable_in_current_image 20284->20285 20286 9bbc3 CallUnexpected 14 API calls 20285->20286 20287 9b0ab CallUnexpected 20285->20287 20286->20287 20287->20265 20289 9f480 std::_Lockit::~_Lockit LeaveCriticalSection 20288->20289 20290 9affb 20289->20290 20290->20255 20290->20268 20292 a1799 CallUnexpected 6 API calls 20291->20292 20293 9b233 20292->20293 20294 9b238 GetPEB 20293->20294 20295 9b1c4 20293->20295 20294->20295 20295->20271 20295->20272 20297 a140b ___free_lconv_mon 14 API calls 20296->20297 20298 9ad60 20297->20298 20298->20032 20299->20039 20300->20042 20302 94d11 std::_Lockit::_Lockit 7 API calls 20301->20302 20303 83a92 20302->20303 20314 841f0 20303->20314 20305 83aa7 20313 83ae5 20305->20313 20320 84300 20305->20320 20306 94d69 std::_Lockit::~_Lockit 2 API calls 20307 83b8e 20306->20307 20307->19857 20310 83b1b 20334 94eda 20310->20334 20313->20306 20315 84208 20314->20315 20316 84244 20314->20316 20317 94d11 std::_Lockit::_Lockit 7 API calls 20315->20317 20316->20305 20318 84219 20317->20318 20319 94d69 std::_Lockit::~_Lockit 2 API calls 20318->20319 20319->20316 20321 8433f 20320->20321 20329 83b02 20320->20329 20322 91683 std::ios_base::_Init 16 API calls 20321->20322 20321->20329 20323 84358 ctype 20322->20323 20337 84560 20323->20337 20325 8437c 20348 84740 20325->20348 20329->20310 20330 84430 20329->20330 20331 8443e 20330->20331 20332 97930 CallUnexpected RaiseException 20331->20332 20333 84453 20332->20333 20335 91683 std::ios_base::_Init 16 API calls 20334->20335 20336 94ee5 20335->20336 20336->20313 20338 94d11 std::_Lockit::_Lockit 7 API calls 20337->20338 20339 845a9 ctype 20338->20339 20340 8460a 20339->20340 20341 8463f 20339->20341 20369 9500c 20340->20369 20378 94cbe 20341->20378 20349 8478a 20348->20349 20443 84a20 20349->20443 20351 843a1 20352 847f0 20351->20352 20505 95057 20352->20505 20355 84930 ctype 14 API calls 20356 84848 20355->20356 20357 84930 ctype 14 API calls 20356->20357 20358 84853 20357->20358 20359 84930 ctype 14 API calls 20358->20359 20360 8485e 20359->20360 20361 84930 ctype 14 API calls 20360->20361 20362 84869 20361->20362 20363 84930 ctype 14 API calls 20362->20363 20364 84874 20363->20364 20365 84930 ctype 14 API calls 20364->20365 20366 8487f 20365->20366 20367 94d69 std::_Lockit::~_Lockit 2 API calls 20366->20367 20368 84887 20367->20368 20368->20329 20386 9f703 20369->20386 20372 94e64 _Yarn 15 API calls 20373 95030 20372->20373 20374 95040 20373->20374 20375 9f703 std::_Locinfo::_Locinfo_dtor 69 API calls 20373->20375 20376 94e64 _Yarn 15 API calls 20374->20376 20375->20374 20377 84623 20376->20377 20377->20325 20425 8c530 20378->20425 20381 97930 CallUnexpected RaiseException 20382 84653 20381->20382 20383 84930 20382->20383 20439 84950 20383->20439 20387 a354c std::_Locinfo::_Locinfo_dtor 5 API calls 20386->20387 20388 9f710 20387->20388 20391 9f4ae 20388->20391 20392 9f4ba ___scrt_is_nonwritable_in_current_image 20391->20392 20399 9f438 EnterCriticalSection 20392->20399 20394 9f4c8 20400 9f509 20394->20400 20399->20394 20401 9f668 std::_Locinfo::_Locinfo_dtor 69 API calls 20400->20401 20402 9f524 20401->20402 20403 a1120 __Getctype 42 API calls 20402->20403 20420 9f4d5 20402->20420 20404 9f531 20403->20404 20405 a9820 std::_Locinfo::_Locinfo_dtor 44 API calls 20404->20405 20406 9f556 20405->20406 20407 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 20406->20407 20413 9f55d 20406->20413 20408 9f582 20407->20408 20411 a9820 std::_Locinfo::_Locinfo_dtor 44 API calls 20408->20411 20408->20420 20409 9ad14 __Getctype 11 API calls 20410 9f667 20409->20410 20412 9f59e 20411->20412 20414 9f5a5 20412->20414 20415 9f5c0 20412->20415 20413->20409 20413->20420 20414->20413 20416 9f5b7 20414->20416 20417 a140b ___free_lconv_mon 14 API calls 20415->20417 20419 9f5eb 20415->20419 20418 a140b ___free_lconv_mon 14 API calls 20416->20418 20417->20419 20418->20420 20419->20420 20421 a140b ___free_lconv_mon 14 API calls 20419->20421 20422 9f4fd 20420->20422 20421->20420 20423 9f480 std::_Lockit::~_Lockit LeaveCriticalSection 20422->20423 20424 95018 20423->20424 20424->20372 20428 866f0 20425->20428 20431 9717a 20428->20431 20432 97187 20431->20432 20438 86764 20431->20438 20433 9ae7b _Yarn 15 API calls 20432->20433 20432->20438 20434 971a4 20433->20434 20435 971b4 20434->20435 20436 a068d ___std_exception_copy 42 API calls 20434->20436 20437 9ad48 ___std_exception_destroy 14 API calls 20435->20437 20436->20435 20437->20438 20438->20381 20440 8466f 20439->20440 20441 84991 20439->20441 20440->20325 20442 9ad48 ___std_exception_destroy 14 API calls 20441->20442 20442->20440 20448 850d0 20443->20448 20447 84a6c codecvt 20447->20351 20454 95229 20448->20454 20451 85100 20490 953a0 20451->20490 20466 9f874 20454->20466 20456 95232 __Getctype 20457 9526a 20456->20457 20458 9524c 20456->20458 20460 9f73b __Getctype 42 API calls 20457->20460 20471 9f73b 20458->20471 20461 95253 20460->20461 20476 9f899 20461->20476 20464 84a40 20464->20451 20467 a1120 __Getctype 42 API calls 20466->20467 20468 9f87f 20467->20468 20469 a985e __Getctype 42 API calls 20468->20469 20470 9f88f 20469->20470 20470->20456 20472 a1120 __Getctype 42 API calls 20471->20472 20473 9f746 20472->20473 20474 a985e __Getctype 42 API calls 20473->20474 20475 9f756 20474->20475 20475->20461 20477 a1120 __Getctype 42 API calls 20476->20477 20478 9f8a4 20477->20478 20479 a985e __Getctype 42 API calls 20478->20479 20480 9527b 20479->20480 20480->20464 20481 9fd4d 20480->20481 20482 9fd5a 20481->20482 20487 9fd95 20481->20487 20483 9ae7b _Yarn 15 API calls 20482->20483 20484 9fd7d 20483->20484 20485 a27dd __Getctype 42 API calls 20484->20485 20484->20487 20486 9fd8e 20485->20486 20486->20487 20488 9ad14 __Getctype 11 API calls 20486->20488 20487->20464 20489 9fdab 20488->20489 20491 953b3 codecvt 20490->20491 20492 9f874 __Getctype 42 API calls 20491->20492 20493 953bb 20492->20493 20500 9f8c0 20493->20500 20496 9f899 __Getctype 42 API calls 20497 953ca 20496->20497 20498 9f73b __Getctype 42 API calls 20497->20498 20499 85119 20497->20499 20498->20499 20499->20447 20501 a1120 __Getctype 42 API calls 20500->20501 20502 9f8cb 20501->20502 20503 a985e __Getctype 42 API calls 20502->20503 20504 953c2 20503->20504 20504->20496 20506 84838 20505->20506 20507 95063 20505->20507 20506->20355 20508 9f703 std::_Locinfo::_Locinfo_dtor 69 API calls 20507->20508 20508->20506 20515 85830 20509->20515 20511 85677 std::ios_base::_Init 20511->19864 20541 85bf0 20512->20541 20518 85870 20515->20518 20519 85838 20518->20519 20520 85897 20518->20520 20519->20511 20526 917c2 EnterCriticalSection 20520->20526 20522 858a5 20522->20519 20523 91ad4 std::ios_base::_Init 45 API calls 20522->20523 20524 858c0 20523->20524 20531 91778 EnterCriticalSection LeaveCriticalSection 20524->20531 20527 917d6 20526->20527 20528 917db LeaveCriticalSection 20527->20528 20536 9184a 20527->20536 20528->20522 20532 91814 20531->20532 20533 9181f WakeAllConditionVariable 20532->20533 20534 91830 SetEvent ResetEvent 20532->20534 20533->20519 20534->20519 20537 91858 SleepConditionVariableCS 20536->20537 20538 91871 LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 20536->20538 20539 91895 20537->20539 20538->20539 20539->20527 20548 81e50 20541->20548 20547 85639 20547->19867 20549 81e97 std::ios_base::_Init 20548->20549 20564 82fa0 20549->20564 20551 81ecc 20552 85d20 20551->20552 20602 85f40 20552->20602 20559 81f10 std::ios_base::_Init 42 API calls 20560 85c75 20559->20560 20561 81f10 20560->20561 20646 82c60 20561->20646 20563 81f24 std::ios_base::_Init 20563->20547 20565 82fc3 std::ios_base::_Init 20564->20565 20568 82fd5 std::ios_base::_Init 20565->20568 20570 83270 20565->20570 20567 8300e std::ios_base::_Init 20567->20551 20568->20567 20573 83330 20568->20573 20577 94c9e 20570->20577 20574 83347 std::ios_base::_Init 20573->20574 20585 834f0 20574->20585 20582 94c24 20577->20582 20580 97930 CallUnexpected RaiseException 20581 94cbd 20580->20581 20583 866f0 std::invalid_argument::invalid_argument 43 API calls 20582->20583 20584 94c36 20583->20584 20584->20580 20586 83519 20585->20586 20587 83506 20585->20587 20589 8334f 20586->20589 20599 835e0 20586->20599 20591 83570 20587->20591 20589->20567 20592 8358e 20591->20592 20593 83593 20591->20593 20594 83600 std::ios_base::_Init RaiseException 20592->20594 20595 835e0 std::ios_base::_Init 16 API calls 20593->20595 20594->20593 20596 8359e 20595->20596 20597 835ab 20596->20597 20598 9acf7 std::ios_base::_Init 42 API calls 20596->20598 20597->20589 20598->20597 20600 91683 std::ios_base::_Init 16 API calls 20599->20600 20601 835f2 20600->20601 20601->20589 20603 85f83 std::ios_base::_Init 20602->20603 20620 865a0 20603->20620 20605 85d5d 20606 85e10 20605->20606 20607 85e5d std::ios_base::_Init 20606->20607 20609 85e7c std::ios_base::_Init 20607->20609 20626 86080 20607->20626 20630 860c0 20609->20630 20612 81f10 std::ios_base::_Init 42 API calls 20613 85ecd std::ios_base::_Init 20612->20613 20614 81f10 std::ios_base::_Init 42 API calls 20613->20614 20615 85d76 20614->20615 20616 86020 20615->20616 20617 8603a std::ios_base::_Init 20616->20617 20618 866f0 std::invalid_argument::invalid_argument 43 API calls 20617->20618 20619 85d8f 20618->20619 20619->20559 20621 865c3 std::ios_base::_Init 20620->20621 20622 83270 std::ios_base::_Init 44 API calls 20621->20622 20623 865d5 std::ios_base::_Init 20621->20623 20622->20623 20624 83330 std::ios_base::_Init 44 API calls 20623->20624 20625 8660e std::ios_base::_Init 20623->20625 20624->20625 20625->20605 20627 8609d std::ios_base::_Init 20626->20627 20634 861b0 20627->20634 20629 860b7 20629->20609 20631 860e3 std::ios_base::_Init 20630->20631 20632 861b0 std::ios_base::_Init 44 API calls 20631->20632 20633 85ebd 20632->20633 20633->20612 20635 86238 20634->20635 20637 861df std::ios_base::_Init 20634->20637 20638 86270 20635->20638 20637->20629 20639 862a2 std::ios_base::_Init 20638->20639 20640 83270 std::ios_base::_Init 44 API calls 20639->20640 20641 862b3 std::ios_base::_Init 20639->20641 20640->20641 20642 83330 std::ios_base::_Init 44 API calls 20641->20642 20643 862f5 std::ios_base::_Init 20642->20643 20644 82d90 std::ios_base::_Init 42 API calls 20643->20644 20645 86394 std::ios_base::_Init 20643->20645 20644->20645 20645->20637 20647 82c7a std::ios_base::_Init 20646->20647 20649 82c8a std::ios_base::_Init 20647->20649 20650 82d90 20647->20650 20649->20563 20653 82df0 20650->20653 20652 82db4 20652->20649 20654 82e32 20653->20654 20655 82e4b _Ref_count_obj 20653->20655 20657 82e90 20654->20657 20655->20652 20658 82ed3 20657->20658 20659 82edd 20658->20659 20660 9acf7 std::ios_base::_Init 42 API calls 20658->20660 20659->20655 20660->20659 20662 91abd 20661->20662 20663 91ab6 20661->20663 20670 9bc2a 20662->20670 20667 9bbad 20663->20667 20666 91437 20668 9bc2a std::ios_base::_Init 45 API calls 20667->20668 20669 9bbbf 20668->20669 20669->20666 20673 9b976 20670->20673 20674 9b982 ___scrt_is_nonwritable_in_current_image 20673->20674 20681 9f438 EnterCriticalSection 20674->20681 20676 9b990 20682 9b9d1 20676->20682 20678 9b99d 20692 9b9c5 20678->20692 20681->20676 20683 9b9ec 20682->20683 20691 9ba5f __Getctype 20682->20691 20684 9ba3f 20683->20684 20683->20691 20695 a2dd3 20683->20695 20686 a2dd3 std::ios_base::_Init 45 API calls 20684->20686 20684->20691 20688 9ba55 20686->20688 20687 9ba35 20689 a140b ___free_lconv_mon 14 API calls 20687->20689 20690 a140b ___free_lconv_mon 14 API calls 20688->20690 20689->20684 20690->20691 20691->20678 20730 9f480 LeaveCriticalSection 20692->20730 20694 9b9ae 20694->20666 20696 a2dfb 20695->20696 20697 a2de0 20695->20697 20698 a2e0a 20696->20698 20704 ac729 20696->20704 20697->20696 20699 a2dec 20697->20699 20711 aa93b 20698->20711 20700 9fe49 __dosmaperr 14 API calls 20699->20700 20703 a2df1 codecvt 20700->20703 20703->20687 20705 ac749 HeapSize 20704->20705 20706 ac734 20704->20706 20705->20698 20707 9fe49 __dosmaperr 14 API calls 20706->20707 20708 ac739 20707->20708 20709 9ace7 __strnicoll 42 API calls 20708->20709 20710 ac744 20709->20710 20710->20698 20712 aa948 20711->20712 20713 aa953 20711->20713 20723 a174b 20712->20723 20715 aa95b 20713->20715 20721 aa964 __Getctype 20713->20721 20718 a140b ___free_lconv_mon 14 API calls 20715->20718 20716 aa969 20719 9fe49 __dosmaperr 14 API calls 20716->20719 20717 aa98e HeapReAlloc 20720 aa950 20717->20720 20717->20721 20718->20720 20719->20720 20720->20703 20721->20716 20721->20717 20722 9adf2 std::ios_base::_Init 2 API calls 20721->20722 20722->20721 20724 a1789 20723->20724 20728 a1759 __Getctype 20723->20728 20725 9fe49 __dosmaperr 14 API calls 20724->20725 20727 a1787 20725->20727 20726 a1774 RtlAllocateHeap 20726->20727 20726->20728 20727->20720 20728->20724 20728->20726 20729 9adf2 std::ios_base::_Init 2 API calls 20728->20729 20729->20728 20730->20694 20731 9681a 20752 9677b GetModuleHandleExW 20731->20752 20735 9677b Concurrency::details::_Reschedule_chore GetModuleHandleExW 20737 9686d 20735->20737 20739 9688e 20737->20739 20769 9675e GetModuleHandleExW 20737->20769 20754 8c2c0 20739->20754 20740 96859 __Mtx_unlock 20740->20735 20742 9687e 20742->20739 20743 96884 FreeLibraryWhenCallbackReturns 20742->20743 20743->20739 20745 9677b Concurrency::details::_Reschedule_chore GetModuleHandleExW 20746 968a4 20745->20746 20747 9645d 13 API calls 20746->20747 20750 968b5 __Mtx_unlock __Cnd_broadcast 20746->20750 20748 968af 20747->20748 20749 88250 59 API calls 20748->20749 20749->20750 20753 96791 20752->20753 20753->20740 20762 9645d 20753->20762 20755 8c304 20754->20755 20770 8c420 20755->20770 20757 8c324 std::ios_base::_Init 20774 8df30 20757->20774 20758 8c34f 20759 8c420 CloseThreadpoolWork 20758->20759 20760 8c35c 20759->20760 20760->20745 20897 9621d 20762->20897 20765 88250 20766 8826c 20765->20766 20767 88261 20765->20767 20766->20740 20927 94b26 20767->20927 20769->20742 20771 8c438 std::ios_base::_Init 20770->20771 20773 8c44f 20770->20773 20778 8c480 20771->20778 20773->20757 20775 8df74 std::ios_base::_Init 20774->20775 20788 8ee60 20775->20788 20776 8df8f 20776->20758 20779 8c49b 20778->20779 20781 8c4a3 20778->20781 20782 8c4c0 20779->20782 20781->20773 20785 967aa 20782->20785 20786 8c505 20785->20786 20787 967b6 CloseThreadpoolWork 20785->20787 20786->20781 20787->20786 20789 8eea0 20788->20789 20794 8f190 20789->20794 20791 8eeaf 20791->20776 20792 8eea7 std::ios_base::_Init 20792->20791 20797 8f230 20792->20797 20800 8b510 20794->20800 20796 8f1ad 20796->20792 20809 8f250 20797->20809 20803 88220 20800->20803 20804 88231 std::ios_base::_Init 20803->20804 20805 9645d 13 API calls 20804->20805 20806 88239 20805->20806 20807 88250 59 API calls 20806->20807 20808 88241 20807->20808 20808->20796 20810 8f267 20809->20810 20817 8f480 20810->20817 20812 8f2a7 20820 8f390 20812->20820 20814 8f2b7 20824 8f2e0 20814->20824 20832 8f6d0 20817->20832 20819 8f4d0 20819->20812 20821 8f3d3 20820->20821 20849 8f610 20821->20849 20823 8f405 20823->20814 20825 8f303 20824->20825 20826 8b510 67 API calls 20825->20826 20827 8f317 20826->20827 20828 8f249 20827->20828 20868 8b9d0 20827->20868 20828->20791 20833 8f725 20832->20833 20836 8f790 20833->20836 20835 8f73e 20835->20819 20837 8f7d0 20836->20837 20840 8f830 20837->20840 20839 8f7e6 20839->20835 20841 8f84d 20840->20841 20842 8f855 20841->20842 20844 8f880 20841->20844 20842->20839 20845 834f0 std::ios_base::_Init 44 API calls 20844->20845 20846 8f8bf 20845->20846 20847 8f980 42 API calls 20846->20847 20848 8f907 20847->20848 20848->20842 20850 8f624 20849->20850 20852 8f62c 20850->20852 20858 94c81 20850->20858 20855 8f9f0 20852->20855 20862 8fa90 20855->20862 20859 94c8f Concurrency::cancel_current_task 20858->20859 20860 97930 CallUnexpected RaiseException 20859->20860 20861 94c9d 20860->20861 20865 8fab0 20862->20865 20866 8fad0 154 API calls 20865->20866 20867 8f649 20866->20867 20867->20823 20875 8bca0 20868->20875 20870 8b9e8 20871 8c840 20870->20871 20872 8c85c 20871->20872 20873 8c88b 20872->20873 20878 8c890 20872->20878 20873->20828 20876 8b510 67 API calls 20875->20876 20877 8bcc0 20876->20877 20877->20870 20880 8c8d9 20878->20880 20879 8c8fe 20879->20872 20880->20879 20882 8cb20 20880->20882 20883 8cb75 20882->20883 20884 8cb8b 20883->20884 20886 8cb90 20883->20886 20894 8cd10 20884->20894 20889 8b9f0 20886->20889 20887 8cbe1 20887->20879 20890 91683 std::ios_base::_Init 16 API calls 20889->20890 20891 8ba38 20890->20891 20892 8bd00 66 API calls 20891->20892 20893 8ba7a 20892->20893 20893->20887 20895 8de70 162 API calls 20894->20895 20896 8cd6a 20895->20896 20896->20887 20898 9627f 20897->20898 20899 96245 GetCurrentThreadId 20897->20899 20900 96283 GetCurrentThreadId 20898->20900 20903 962a9 20898->20903 20901 96250 GetCurrentThreadId 20899->20901 20911 9626b 20899->20911 20904 96292 20900->20904 20901->20911 20902 96347 GetCurrentThreadId 20902->20904 20903->20902 20906 962ca 20903->20906 20905 96390 GetCurrentThreadId 20904->20905 20904->20911 20905->20911 20915 96cdf 20906->20915 20907 9231c _ValidateLocalCookies 5 API calls 20910 9627d 20907->20910 20910->20765 20911->20907 20912 96306 GetCurrentThreadId 20912->20904 20913 962d5 __Xtime_diff_to_millis2 20912->20913 20913->20904 20913->20911 20913->20912 20914 96cdf 2 API calls 20913->20914 20914->20913 20916 96ceb 20915->20916 20918 96cf8 __aulldiv __aullrem 20915->20918 20916->20918 20919 96cb8 20916->20919 20918->20913 20922 96ffa 20919->20922 20923 9700b GetSystemTimePreciseAsFileTime 20922->20923 20924 97017 GetSystemTimeAsFileTime 20922->20924 20925 96cc6 20923->20925 20924->20925 20925->20918 20930 94b31 20927->20930 20928 9ad9f 20932 a1513 CallUnexpected 2 API calls 20928->20932 20929 94b44 20942 94b53 20929->20942 20930->20928 20930->20929 20933 9ada4 20932->20933 20934 9adaf 20933->20934 20935 a1558 CallUnexpected 42 API calls 20933->20935 20936 9adb9 IsProcessorFeaturePresent 20934->20936 20937 9add8 20934->20937 20935->20934 20938 9adc5 20936->20938 20939 9b2ff CallUnexpected 23 API calls 20937->20939 20940 9aaeb CallUnexpected 8 API calls 20938->20940 20941 9ade2 20939->20941 20940->20937 20941->20766 20949 88980 20942->20949 20962 88990 20949->20962 20952 94ad9 20953 94ae5 __EH_prolog3_GS 20952->20953 20954 81e50 std::ios_base::_Init 44 API calls 20953->20954 20955 94af9 20954->20955 20956 85d20 std::ios_base::_Init 44 API calls 20955->20956 20957 94b0e 20956->20957 20958 82c60 std::ios_base::_Init 42 API calls 20957->20958 20959 94b16 20958->20959 20970 ae2a9 20959->20970 20963 88988 20962->20963 20964 889b7 20962->20964 20963->20952 20965 917c2 std::ios_base::_Init 6 API calls 20964->20965 20966 889c5 20965->20966 20966->20963 20967 91ad4 std::ios_base::_Init 45 API calls 20966->20967 20968 889e0 20967->20968 20969 91778 __Init_thread_footer 5 API calls 20968->20969 20969->20963 20971 9231c _ValidateLocalCookies 5 API calls 20970->20971 20972 ae2b3 20971->20972 20972->20972 20973 91bd1 20974 91bdd ___scrt_is_nonwritable_in_current_image 20973->20974 20999 9190e 20974->20999 20976 91be4 20977 91d3d 20976->20977 20987 91c0e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 20976->20987 21041 91daf IsProcessorFeaturePresent 20977->21041 20979 91d44 21022 9b33b 20979->21022 20982 9b2ff CallUnexpected 23 API calls 20983 91d52 20982->20983 20984 91c2d 20985 91cae 21010 9b902 20985->21010 20987->20984 20987->20985 21025 9b315 20987->21025 20989 91cb4 21014 81cb0 20989->21014 20991 91ccb 21030 91ed2 GetModuleHandleW 20991->21030 20994 91cd9 20995 91ce2 20994->20995 21032 9b2f0 20994->21032 21035 91a7f 20995->21035 21000 91917 20999->21000 21045 91f81 IsProcessorFeaturePresent 21000->21045 21004 91928 21005 9192c 21004->21005 21055 9bd58 21004->21055 21005->20976 21008 91943 21008->20976 21011 9b90b 21010->21011 21012 9b910 21010->21012 21181 9b65c 21011->21181 21012->20989 21015 81ced 21014->21015 21513 81680 21015->21513 21017 81d0c 21518 82a20 21017->21518 21021 81d3d 21021->20991 21023 9b123 CallUnexpected 23 API calls 21022->21023 21024 91d4a 21023->21024 21024->20982 21026 9b32b __Getctype 21025->21026 21029 9ad63 ___scrt_is_nonwritable_in_current_image 21025->21029 21026->20985 21027 a1120 __Getctype 42 API calls 21027->21029 21028 9ad9f CallUnexpected 42 API calls 21028->21029 21029->21025 21029->21027 21029->21028 21031 91cd5 21030->21031 21031->20979 21031->20994 21033 9b123 CallUnexpected 23 API calls 21032->21033 21034 9b2fb 21033->21034 21034->20995 21036 91a8b 21035->21036 21037 91aa1 21036->21037 21778 9bd6a 21036->21778 21037->20984 21039 91a99 21040 97d94 ___scrt_uninitialize_crt 7 API calls 21039->21040 21040->21037 21042 91dc5 CallUnexpected codecvt 21041->21042 21043 91e70 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 21042->21043 21044 91ebb CallUnexpected 21043->21044 21044->20979 21046 91923 21045->21046 21047 97d75 21046->21047 21064 9a4cc 21047->21064 21050 97d7e 21050->21004 21052 97d86 21053 97d91 21052->21053 21078 9a508 21052->21078 21053->21004 21118 a37da 21055->21118 21058 97d94 21059 97d9d 21058->21059 21060 97da7 21058->21060 21061 99742 ___vcrt_uninitialize_ptd 6 API calls 21059->21061 21060->21005 21062 97da2 21061->21062 21063 9a508 ___vcrt_uninitialize_locks DeleteCriticalSection 21062->21063 21063->21060 21065 9a4d5 21064->21065 21067 9a4fe 21065->21067 21068 97d7a 21065->21068 21082 9a881 21065->21082 21069 9a508 ___vcrt_uninitialize_locks DeleteCriticalSection 21067->21069 21068->21050 21070 9970f 21068->21070 21069->21068 21099 9a792 21070->21099 21073 99724 21073->21052 21076 9973f 21076->21052 21079 9a532 21078->21079 21080 9a513 21078->21080 21079->21050 21081 9a51d DeleteCriticalSection 21080->21081 21081->21079 21081->21081 21087 9a6a7 21082->21087 21085 9a8b9 InitializeCriticalSectionAndSpinCount 21086 9a8a4 21085->21086 21086->21065 21088 9a6c4 21087->21088 21091 9a6c8 21087->21091 21088->21085 21088->21086 21089 9a730 GetProcAddress 21089->21088 21091->21088 21091->21089 21092 9a721 21091->21092 21094 9a747 LoadLibraryExW 21091->21094 21092->21089 21093 9a729 FreeLibrary 21092->21093 21093->21089 21095 9a75e GetLastError 21094->21095 21096 9a78e 21094->21096 21095->21096 21097 9a769 ___vcrt_FlsSetValue 21095->21097 21096->21091 21097->21096 21098 9a77f LoadLibraryExW 21097->21098 21098->21091 21100 9a6a7 ___vcrt_FlsSetValue 5 API calls 21099->21100 21101 9a7ac 21100->21101 21102 9a7c5 TlsAlloc 21101->21102 21103 99719 21101->21103 21103->21073 21104 9a843 21103->21104 21105 9a6a7 ___vcrt_FlsSetValue 5 API calls 21104->21105 21106 9a85d 21105->21106 21107 9a878 TlsSetValue 21106->21107 21108 99732 21106->21108 21107->21108 21108->21076 21109 99742 21108->21109 21110 99752 21109->21110 21111 9974c 21109->21111 21110->21073 21113 9a7cd 21111->21113 21114 9a6a7 ___vcrt_FlsSetValue 5 API calls 21113->21114 21115 9a7e7 21114->21115 21116 9a7ff TlsFree 21115->21116 21117 9a7f3 21115->21117 21116->21117 21117->21110 21119 a37ea 21118->21119 21120 91935 21118->21120 21119->21120 21123 a369e 21119->21123 21128 a374e 21119->21128 21120->21008 21120->21058 21124 a36a5 21123->21124 21125 a36e8 GetStdHandle 21124->21125 21126 a374a 21124->21126 21127 a36fb GetFileType 21124->21127 21125->21124 21126->21119 21127->21124 21129 a375a ___scrt_is_nonwritable_in_current_image 21128->21129 21140 9f438 EnterCriticalSection 21129->21140 21131 a3761 21141 a3ba4 21131->21141 21134 a377f 21160 a37a5 21134->21160 21139 a369e 2 API calls 21139->21134 21140->21131 21142 a3bb0 ___scrt_is_nonwritable_in_current_image 21141->21142 21143 a3bda 21142->21143 21144 a3bb9 21142->21144 21163 9f438 EnterCriticalSection 21143->21163 21145 9fe49 __dosmaperr 14 API calls 21144->21145 21147 a3bbe 21145->21147 21148 9ace7 __strnicoll 42 API calls 21147->21148 21149 a3770 21148->21149 21149->21134 21154 a35e8 GetStartupInfoW 21149->21154 21150 a3c12 21171 a3c39 21150->21171 21151 a3be6 21151->21150 21164 a3af4 21151->21164 21155 a3605 21154->21155 21157 a3699 21154->21157 21156 a3ba4 43 API calls 21155->21156 21155->21157 21158 a362d 21156->21158 21157->21139 21158->21157 21159 a365d GetFileType 21158->21159 21159->21158 21180 9f480 LeaveCriticalSection 21160->21180 21162 a3790 21162->21119 21163->21151 21165 a17ca __Getctype 14 API calls 21164->21165 21170 a3b06 21165->21170 21166 a3b13 21167 a140b ___free_lconv_mon 14 API calls 21166->21167 21169 a3b68 21167->21169 21169->21151 21170->21166 21174 a33f1 21170->21174 21179 9f480 LeaveCriticalSection 21171->21179 21173 a3c40 21173->21149 21175 a30e4 __Getctype 5 API calls 21174->21175 21176 a340d 21175->21176 21177 a342b InitializeCriticalSectionAndSpinCount 21176->21177 21178 a3416 21176->21178 21177->21178 21178->21170 21179->21173 21180->21162 21182 9b665 21181->21182 21185 9b67b 21181->21185 21182->21185 21187 9b688 21182->21187 21184 9b672 21184->21185 21204 9b7f3 21184->21204 21185->21012 21188 9b691 21187->21188 21189 9b694 21187->21189 21188->21184 21212 a2512 21189->21212 21194 9b6b1 21239 9b6e2 21194->21239 21195 9b6a5 21196 a140b ___free_lconv_mon 14 API calls 21195->21196 21198 9b6ab 21196->21198 21198->21184 21200 a140b ___free_lconv_mon 14 API calls 21201 9b6d5 21200->21201 21202 a140b ___free_lconv_mon 14 API calls 21201->21202 21203 9b6db 21202->21203 21203->21184 21205 9b864 21204->21205 21210 9b802 21204->21210 21205->21185 21206 a28bd WideCharToMultiByte _Fputc 21206->21210 21207 a17ca __Getctype 14 API calls 21207->21210 21208 9b868 21209 a140b ___free_lconv_mon 14 API calls 21208->21209 21209->21205 21210->21205 21210->21206 21210->21207 21210->21208 21211 a140b ___free_lconv_mon 14 API calls 21210->21211 21211->21210 21213 a251b 21212->21213 21217 9b69a 21212->21217 21261 a11db 21213->21261 21218 a29ab GetEnvironmentStringsW 21217->21218 21219 a29c3 21218->21219 21232 9b69f 21218->21232 21220 a28bd _Fputc WideCharToMultiByte 21219->21220 21221 a29e0 21220->21221 21222 a29ea FreeEnvironmentStringsW 21221->21222 21223 a29f5 21221->21223 21222->21232 21224 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 21223->21224 21225 a29fc 21224->21225 21226 a2a04 21225->21226 21227 a2a15 21225->21227 21228 a140b ___free_lconv_mon 14 API calls 21226->21228 21229 a28bd _Fputc WideCharToMultiByte 21227->21229 21230 a2a09 FreeEnvironmentStringsW 21228->21230 21231 a2a25 21229->21231 21230->21232 21233 a2a2c 21231->21233 21234 a2a34 21231->21234 21232->21194 21232->21195 21235 a140b ___free_lconv_mon 14 API calls 21233->21235 21236 a140b ___free_lconv_mon 14 API calls 21234->21236 21237 a2a32 FreeEnvironmentStringsW 21235->21237 21236->21237 21237->21232 21240 9b6f7 21239->21240 21241 a17ca __Getctype 14 API calls 21240->21241 21242 9b71e 21241->21242 21243 9b726 21242->21243 21247 9b730 21242->21247 21244 a140b ___free_lconv_mon 14 API calls 21243->21244 21246 9b6b8 21244->21246 21245 9b78d 21248 a140b ___free_lconv_mon 14 API calls 21245->21248 21246->21200 21247->21245 21247->21247 21249 a17ca __Getctype 14 API calls 21247->21249 21250 9b79c 21247->21250 21255 9b7b7 21247->21255 21257 a140b ___free_lconv_mon 14 API calls 21247->21257 21494 a068d 21247->21494 21248->21246 21249->21247 21503 9b7c4 21250->21503 21254 a140b ___free_lconv_mon 14 API calls 21256 9b7a9 21254->21256 21509 9ad14 IsProcessorFeaturePresent 21255->21509 21259 a140b ___free_lconv_mon 14 API calls 21256->21259 21257->21247 21259->21246 21260 9b7c3 21262 a11ec 21261->21262 21263 a11e6 21261->21263 21264 a3334 __Getctype 6 API calls 21262->21264 21284 a11f2 21262->21284 21265 a32f5 __Getctype 6 API calls 21263->21265 21266 a1206 21264->21266 21265->21262 21267 a17ca __Getctype 14 API calls 21266->21267 21266->21284 21270 a1216 21267->21270 21268 9ad9f CallUnexpected 42 API calls 21271 a1270 21268->21271 21269 a11f7 21286 a231d 21269->21286 21272 a121e 21270->21272 21273 a1233 21270->21273 21274 a3334 __Getctype 6 API calls 21272->21274 21275 a3334 __Getctype 6 API calls 21273->21275 21276 a122a 21274->21276 21277 a123f 21275->21277 21282 a140b ___free_lconv_mon 14 API calls 21276->21282 21278 a1252 21277->21278 21279 a1243 21277->21279 21281 a0f4e __Getctype 14 API calls 21278->21281 21280 a3334 __Getctype 6 API calls 21279->21280 21280->21276 21283 a125d 21281->21283 21282->21284 21285 a140b ___free_lconv_mon 14 API calls 21283->21285 21284->21268 21284->21269 21285->21269 21309 a2472 21286->21309 21291 a2360 21291->21217 21292 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 21293 a2371 21292->21293 21294 a2379 21293->21294 21295 a2387 21293->21295 21296 a140b ___free_lconv_mon 14 API calls 21294->21296 21327 a256d 21295->21327 21296->21291 21299 a23bf 21300 9fe49 __dosmaperr 14 API calls 21299->21300 21301 a23c4 21300->21301 21302 a140b ___free_lconv_mon 14 API calls 21301->21302 21302->21291 21303 a23da 21305 a140b ___free_lconv_mon 14 API calls 21303->21305 21307 a2406 21303->21307 21304 a140b ___free_lconv_mon 14 API calls 21304->21291 21305->21307 21308 a244f 21307->21308 21338 a1f8f 21307->21338 21308->21304 21310 a247e ___scrt_is_nonwritable_in_current_image 21309->21310 21312 a2498 21310->21312 21346 9f438 EnterCriticalSection 21310->21346 21313 a2347 21312->21313 21315 9ad9f CallUnexpected 42 API calls 21312->21315 21320 a209d 21313->21320 21314 a24d4 21347 a24f1 21314->21347 21317 a2511 21315->21317 21318 a24a8 21318->21314 21319 a140b ___free_lconv_mon 14 API calls 21318->21319 21319->21314 21351 9fe5c 21320->21351 21323 a20be GetOEMCP 21325 a20e7 21323->21325 21324 a20d0 21324->21325 21326 a20d5 GetACP 21324->21326 21325->21291 21325->21292 21326->21325 21328 a209d 44 API calls 21327->21328 21329 a258d 21328->21329 21331 a25ca IsValidCodePage 21329->21331 21335 a2606 codecvt 21329->21335 21330 9231c _ValidateLocalCookies 5 API calls 21333 a23b4 21330->21333 21332 a25dc 21331->21332 21331->21335 21334 a260b GetCPInfo 21332->21334 21337 a25e5 codecvt 21332->21337 21333->21299 21333->21303 21334->21335 21334->21337 21335->21330 21393 a2171 21337->21393 21339 a1f9b ___scrt_is_nonwritable_in_current_image 21338->21339 21468 9f438 EnterCriticalSection 21339->21468 21341 a1fa5 21469 a1fdc 21341->21469 21346->21318 21350 9f480 LeaveCriticalSection 21347->21350 21349 a24f8 21349->21312 21350->21349 21352 9fe7a 21351->21352 21358 9fe73 21351->21358 21353 a1120 __Getctype 42 API calls 21352->21353 21352->21358 21354 9fe9b 21353->21354 21359 a985e 21354->21359 21358->21323 21358->21324 21360 9feb1 21359->21360 21361 a9871 21359->21361 21363 a98bc 21360->21363 21361->21360 21367 a4e38 21361->21367 21364 a98cf 21363->21364 21366 a98e4 21363->21366 21364->21366 21388 a255a 21364->21388 21366->21358 21368 a4e44 ___scrt_is_nonwritable_in_current_image 21367->21368 21369 a1120 __Getctype 42 API calls 21368->21369 21370 a4e4d 21369->21370 21377 a4e93 21370->21377 21380 9f438 EnterCriticalSection 21370->21380 21372 a4e6b 21381 a4eb9 21372->21381 21377->21360 21378 9ad9f CallUnexpected 42 API calls 21379 a4eb8 21378->21379 21380->21372 21382 a4e7c 21381->21382 21383 a4ec7 __Getctype 21381->21383 21385 a4e98 21382->21385 21383->21382 21384 a4bec __Getctype 14 API calls 21383->21384 21384->21382 21386 9f480 std::_Lockit::~_Lockit LeaveCriticalSection 21385->21386 21387 a4e8f 21386->21387 21387->21377 21387->21378 21389 a1120 __Getctype 42 API calls 21388->21389 21390 a255f 21389->21390 21391 a2472 __strnicoll 42 API calls 21390->21391 21392 a256a 21391->21392 21392->21366 21394 a2199 GetCPInfo 21393->21394 21403 a2262 21393->21403 21395 a21b1 21394->21395 21394->21403 21404 a4a66 21395->21404 21397 9231c _ValidateLocalCookies 5 API calls 21399 a231b 21397->21399 21399->21335 21402 a9e6a 46 API calls 21402->21403 21403->21397 21405 9fe5c __strnicoll 42 API calls 21404->21405 21406 a4a86 21405->21406 21424 a2841 21406->21424 21408 a4b4a 21411 9231c _ValidateLocalCookies 5 API calls 21408->21411 21409 a4b42 21427 96f95 21409->21427 21410 a4ab3 21410->21408 21410->21409 21413 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 21410->21413 21415 a4ad8 codecvt __alloca_probe_16 21410->21415 21414 a2219 21411->21414 21413->21415 21419 a9e6a 21414->21419 21415->21409 21416 a2841 ctype MultiByteToWideChar 21415->21416 21417 a4b23 21416->21417 21417->21409 21418 a4b2e GetStringTypeW 21417->21418 21418->21409 21420 9fe5c __strnicoll 42 API calls 21419->21420 21421 a9e7d 21420->21421 21431 a9c7c 21421->21431 21425 a2852 MultiByteToWideChar 21424->21425 21425->21410 21428 96f9f 21427->21428 21430 96fb0 21427->21430 21429 9ad48 ___std_exception_destroy 14 API calls 21428->21429 21428->21430 21429->21430 21430->21408 21432 a9c97 ctype 21431->21432 21433 a2841 ctype MultiByteToWideChar 21432->21433 21437 a9cdd 21433->21437 21434 a9e55 21435 9231c _ValidateLocalCookies 5 API calls 21434->21435 21436 a223a 21435->21436 21436->21402 21437->21434 21438 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 21437->21438 21440 a9d03 __alloca_probe_16 21437->21440 21448 a9d89 21437->21448 21438->21440 21439 96f95 __freea 14 API calls 21439->21434 21441 a2841 ctype MultiByteToWideChar 21440->21441 21440->21448 21442 a9d48 21441->21442 21442->21448 21459 a34b3 21442->21459 21445 a9d7a 21445->21448 21451 a34b3 std::_Locinfo::_Locinfo_dtor 6 API calls 21445->21451 21446 a9db2 21447 a9e3d 21446->21447 21449 a174b std::_Locinfo::_Locinfo_dtor 15 API calls 21446->21449 21452 a9dc4 __alloca_probe_16 21446->21452 21450 96f95 __freea 14 API calls 21447->21450 21448->21439 21449->21452 21450->21448 21451->21448 21452->21447 21453 a34b3 std::_Locinfo::_Locinfo_dtor 6 API calls 21452->21453 21454 a9e07 21453->21454 21454->21447 21465 a28bd 21454->21465 21456 a9e21 21456->21447 21457 a9e2a 21456->21457 21458 96f95 __freea 14 API calls 21457->21458 21458->21448 21460 a2fe2 std::_Locinfo::_Locinfo_dtor 5 API calls 21459->21460 21461 a34be 21460->21461 21462 a34c4 21461->21462 21463 a3510 std::_Locinfo::_Locinfo_dtor 5 API calls 21461->21463 21462->21445 21462->21446 21462->21448 21464 a3504 LCMapStringW 21463->21464 21464->21462 21467 a28d4 WideCharToMultiByte 21465->21467 21467->21456 21468->21341 21479 9f376 21469->21479 21471 a1ffe 21472 9f376 __fread_nolock 42 API calls 21471->21472 21473 a201d 21472->21473 21474 a1fb2 21473->21474 21475 a140b ___free_lconv_mon 14 API calls 21473->21475 21476 a1fd0 21474->21476 21475->21474 21493 9f480 LeaveCriticalSection 21476->21493 21478 a1fbe 21478->21308 21480 9f387 21479->21480 21489 9f383 codecvt 21479->21489 21481 9f38e 21480->21481 21482 9f3a1 codecvt 21480->21482 21483 9fe49 __dosmaperr 14 API calls 21481->21483 21486 9f3d8 21482->21486 21487 9f3cf 21482->21487 21482->21489 21484 9f393 21483->21484 21485 9ace7 __strnicoll 42 API calls 21484->21485 21485->21489 21486->21489 21491 9fe49 __dosmaperr 14 API calls 21486->21491 21488 9fe49 __dosmaperr 14 API calls 21487->21488 21490 9f3d4 21488->21490 21489->21471 21492 9ace7 __strnicoll 42 API calls 21490->21492 21491->21490 21492->21489 21493->21478 21495 a069b 21494->21495 21496 a06a9 21494->21496 21495->21496 21501 a06c1 21495->21501 21497 9fe49 __dosmaperr 14 API calls 21496->21497 21498 a06b1 21497->21498 21499 9ace7 __strnicoll 42 API calls 21498->21499 21500 a06bb 21499->21500 21500->21247 21501->21500 21502 9fe49 __dosmaperr 14 API calls 21501->21502 21502->21498 21504 9b7d1 21503->21504 21508 9b7a2 21503->21508 21505 9b7e8 21504->21505 21506 a140b ___free_lconv_mon 14 API calls 21504->21506 21507 a140b ___free_lconv_mon 14 API calls 21505->21507 21506->21504 21507->21508 21508->21254 21510 9ad20 21509->21510 21511 9aaeb CallUnexpected 8 API calls 21510->21511 21512 9ad35 GetCurrentProcess TerminateProcess 21511->21512 21512->21260 21526 81650 GetPEB 21513->21526 21515 8168b 21527 814e0 21515->21527 21519 82a4c 21518->21519 21532 86cc0 21519->21532 21521 81d2e 21522 82a70 21521->21522 21523 82a84 21522->21523 21524 882a0 58 API calls 21523->21524 21525 82a98 21523->21525 21524->21525 21525->21021 21526->21515 21531 8154f 21527->21531 21528 81625 FreeConsole 21528->21017 21529 81e50 std::ios_base::_Init 44 API calls 21529->21531 21530 81f10 std::ios_base::_Init 42 API calls 21530->21531 21531->21528 21531->21529 21531->21530 21533 86d10 21532->21533 21538 86dd0 21533->21538 21535 86d25 21549 86f70 21535->21549 21537 86d48 21537->21521 21539 86e64 21538->21539 21540 86e14 21538->21540 21542 91683 std::ios_base::_Init 16 API calls 21539->21542 21540->21539 21541 86e25 21540->21541 21545 91683 std::ios_base::_Init 16 API calls 21541->21545 21543 86e76 21542->21543 21558 87040 21543->21558 21546 86e37 21545->21546 21555 87000 21546->21555 21550 86f84 21549->21550 21551 86f98 21550->21551 21751 882a0 21550->21751 21553 86fb1 21551->21553 21554 882a0 58 API calls 21551->21554 21553->21537 21554->21553 21565 871a0 21555->21565 21557 86e51 21557->21535 21559 871a0 2 API calls 21558->21559 21560 8708a 21559->21560 21590 89180 21560->21590 21568 87610 21565->21568 21567 871e8 21567->21557 21569 87663 21568->21569 21574 878e0 21569->21574 21581 879d0 21574->21581 21577 87910 21578 87924 std::ios_base::_Init 21577->21578 21588 961b3 21578->21588 21580 87683 21580->21567 21582 87a19 std::ios_base::_Init 21581->21582 21585 9643e 21582->21585 21586 961fb InitializeConditionVariable 21585->21586 21587 87671 21586->21587 21587->21577 21589 9610d InitializeConditionVariable 21588->21589 21589->21580 21607 8bf00 21590->21607 21614 8c010 21607->21614 21617 8c040 21614->21617 21626 966d9 InitOnceBeginInitialize 21617->21626 21756 88390 21751->21756 21754 97930 CallUnexpected RaiseException 21755 882cf 21754->21755 21761 88470 21756->21761 21760 882b7 21760->21754 21762 866f0 std::invalid_argument::invalid_argument 43 API calls 21761->21762 21763 883b0 21762->21763 21764 884b0 21763->21764 21767 88520 21764->21767 21766 884c7 std::ios_base::_Init 21766->21760 21770 88530 21767->21770 21771 88528 21770->21771 21772 88557 21770->21772 21771->21766 21773 917c2 std::ios_base::_Init 6 API calls 21772->21773 21774 88565 21773->21774 21774->21771 21775 91ad4 std::ios_base::_Init 45 API calls 21774->21775 21776 88580 21775->21776 21777 91778 __Init_thread_footer 5 API calls 21776->21777 21777->21771 21779 9bd75 21778->21779 21780 9bd87 ___scrt_uninitialize_crt 21778->21780 21781 9bd83 21779->21781 21783 9e380 21779->21783 21780->21039 21781->21039 21786 9e20d 21783->21786 21789 9e101 21786->21789 21790 9e10d ___scrt_is_nonwritable_in_current_image 21789->21790 21797 9f438 EnterCriticalSection 21790->21797 21792 9e117 ___scrt_uninitialize_crt 21793 9e183 21792->21793 21798 9e075 21792->21798 21806 9e1a1 21793->21806 21797->21792 21799 9e081 ___scrt_is_nonwritable_in_current_image 21798->21799 21809 9d825 EnterCriticalSection 21799->21809 21801 9e08b ___scrt_uninitialize_crt 21802 9e0c4 21801->21802 21810 9e31b 21801->21810 21823 9e0f5 21802->21823 21927 9f480 LeaveCriticalSection 21806->21927 21808 9e18f 21808->21781 21809->21801 21811 9e330 _Fputc 21810->21811 21812 9e342 21811->21812 21813 9e337 21811->21813 21826 9e2b2 21812->21826 21814 9e20d ___scrt_uninitialize_crt 71 API calls 21813->21814 21816 9e33d 21814->21816 21818 9aa23 _Fputc 42 API calls 21816->21818 21820 9e37a 21818->21820 21820->21802 21821 9e363 21839 a7476 21821->21839 21926 9d839 LeaveCriticalSection 21823->21926 21825 9e0e3 21825->21792 21827 9e2cb 21826->21827 21831 9e2f2 21826->21831 21828 a67f9 _Fputc 42 API calls 21827->21828 21827->21831 21829 9e2e7 21828->21829 21850 a7ca1 21829->21850 21831->21816 21832 a67f9 21831->21832 21833 a681a 21832->21833 21834 a6805 21832->21834 21833->21821 21835 9fe49 __dosmaperr 14 API calls 21834->21835 21836 a680a 21835->21836 21837 9ace7 __strnicoll 42 API calls 21836->21837 21838 a6815 21837->21838 21838->21821 21840 a7487 21839->21840 21843 a7494 21839->21843 21842 9fe49 __dosmaperr 14 API calls 21840->21842 21841 a74dd 21844 9fe49 __dosmaperr 14 API calls 21841->21844 21849 a748c 21842->21849 21843->21841 21845 a74bb 21843->21845 21846 a74e2 21844->21846 21893 a73d4 21845->21893 21848 9ace7 __strnicoll 42 API calls 21846->21848 21848->21849 21849->21816 21851 a7cad ___scrt_is_nonwritable_in_current_image 21850->21851 21852 a7d71 21851->21852 21854 a7d02 21851->21854 21860 a7cb5 21851->21860 21853 9ac6a _Fputc 29 API calls 21852->21853 21853->21860 21861 a3c42 EnterCriticalSection 21854->21861 21856 a7d08 21857 a7d25 21856->21857 21862 a7da9 21856->21862 21890 a7d69 21857->21890 21860->21831 21861->21856 21863 a7dce 21862->21863 21889 a7df1 __fread_nolock 21862->21889 21864 a7dd2 21863->21864 21866 a7e30 21863->21866 21865 9ac6a _Fputc 29 API calls 21864->21865 21865->21889 21867 a7e47 21866->21867 21868 a881c ___scrt_uninitialize_crt 44 API calls 21866->21868 21869 a792d ___scrt_uninitialize_crt 43 API calls 21867->21869 21868->21867 21870 a7e51 21869->21870 21871 a7e97 21870->21871 21872 a7e57 21870->21872 21873 a7efa WriteFile 21871->21873 21874 a7eab 21871->21874 21875 a7e5e 21872->21875 21876 a7e81 21872->21876 21877 a7f1c GetLastError 21873->21877 21888 a7e92 21873->21888 21879 a7ee8 21874->21879 21880 a7eb3 21874->21880 21883 a78c5 ___scrt_uninitialize_crt 6 API calls 21875->21883 21875->21889 21878 a74f3 ___scrt_uninitialize_crt 48 API calls 21876->21878 21877->21888 21878->21888 21884 a79ab ___scrt_uninitialize_crt 7 API calls 21879->21884 21881 a7eb8 21880->21881 21882 a7ed6 21880->21882 21885 a7ec1 21881->21885 21881->21889 21886 a7b6f ___scrt_uninitialize_crt 8 API calls 21882->21886 21883->21889 21884->21889 21887 a7a86 ___scrt_uninitialize_crt 7 API calls 21885->21887 21886->21888 21887->21889 21888->21889 21889->21857 21891 a3c65 ___scrt_uninitialize_crt LeaveCriticalSection 21890->21891 21892 a7d6f 21891->21892 21892->21860 21894 a73e0 ___scrt_is_nonwritable_in_current_image 21893->21894 21906 a3c42 EnterCriticalSection 21894->21906 21896 a73ef 21905 a7434 21896->21905 21907 a3d19 21896->21907 21898 9fe49 __dosmaperr 14 API calls 21899 a743b 21898->21899 21923 a746a 21899->21923 21900 a741b FlushFileBuffers 21900->21899 21901 a7427 GetLastError 21900->21901 21920 9fe36 21901->21920 21905->21898 21906->21896 21908 a3d26 21907->21908 21910 a3d3b 21907->21910 21909 9fe36 __dosmaperr 14 API calls 21908->21909 21911 a3d2b 21909->21911 21912 9fe36 __dosmaperr 14 API calls 21910->21912 21914 a3d60 21910->21914 21913 9fe49 __dosmaperr 14 API calls 21911->21913 21915 a3d6b 21912->21915 21916 a3d33 21913->21916 21914->21900 21917 9fe49 __dosmaperr 14 API calls 21915->21917 21916->21900 21918 a3d73 21917->21918 21919 9ace7 __strnicoll 42 API calls 21918->21919 21919->21916 21921 a1271 __dosmaperr 14 API calls 21920->21921 21922 9fe3b 21921->21922 21922->21905 21924 a3c65 ___scrt_uninitialize_crt LeaveCriticalSection 21923->21924 21925 a7453 21924->21925 21925->21849 21926->21825 21927->21808 21928 a6b94 21929 a67f9 _Fputc 42 API calls 21928->21929 21930 a6ba1 21929->21930 21931 a6bad 21930->21931 21932 a6bf9 21930->21932 21951 a6f2a 21930->21951 21932->21931 21934 a6c5b 21932->21934 21959 a3873 21932->21959 21940 a6d84 21934->21940 21941 a67f9 _Fputc 42 API calls 21940->21941 21942 a6d93 21941->21942 21943 a6e39 21942->21943 21944 a6da6 21942->21944 21945 a7ca1 ___scrt_uninitialize_crt 67 API calls 21943->21945 21946 a6dc3 21944->21946 21948 a6dea 21944->21948 21949 a6c6c 21945->21949 21947 a7ca1 ___scrt_uninitialize_crt 67 API calls 21946->21947 21947->21949 21948->21949 21970 a877e 21948->21970 21952 a6f40 21951->21952 21953 a6f44 21951->21953 21952->21932 21954 a6f93 21953->21954 21955 a3d19 __fread_nolock 42 API calls 21953->21955 21954->21932 21956 a6f65 21955->21956 21956->21954 21957 a6f6d SetFilePointerEx 21956->21957 21957->21954 21958 a6f84 GetFileSizeEx 21957->21958 21958->21954 21961 a387f 21959->21961 21960 a38a0 21960->21934 21965 a7169 21960->21965 21961->21960 21962 a67f9 _Fputc 42 API calls 21961->21962 21963 a389a 21962->21963 21998 ac87b 21963->21998 21966 a17ca __Getctype 14 API calls 21965->21966 21967 a7186 21966->21967 21968 a140b ___free_lconv_mon 14 API calls 21967->21968 21969 a7190 21968->21969 21969->21934 21971 a8792 _Fputc 21970->21971 21976 a85d5 21971->21976 21974 9aa23 _Fputc 42 API calls 21975 a87b6 21974->21975 21975->21949 21978 a85e1 ___scrt_is_nonwritable_in_current_image 21976->21978 21977 a86bf 21979 9ac6a _Fputc 29 API calls 21977->21979 21978->21977 21980 a863d 21978->21980 21986 a85e9 21978->21986 21979->21986 21987 a3c42 EnterCriticalSection 21980->21987 21982 a8643 21983 a8668 21982->21983 21988 a86fb 21982->21988 21994 a86b7 21983->21994 21986->21974 21987->21982 21989 a3d19 __fread_nolock 42 API calls 21988->21989 21990 a870d 21989->21990 21991 a8729 SetFilePointerEx 21990->21991 21993 a8715 __fread_nolock 21990->21993 21992 a8741 GetLastError 21991->21992 21991->21993 21992->21993 21993->21983 21997 a3c65 LeaveCriticalSection 21994->21997 21996 a86bd 21996->21986 21997->21996 21999 ac888 21998->21999 22000 ac895 21998->22000 22001 9fe49 __dosmaperr 14 API calls 21999->22001 22003 ac8a1 22000->22003 22004 9fe49 __dosmaperr 14 API calls 22000->22004 22002 ac88d 22001->22002 22002->21960 22003->21960 22005 ac8c2 22004->22005 22006 9ace7 __strnicoll 42 API calls 22005->22006 22006->22002

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 00081000 Relevance: 34.7, APIs: 23, Instructions: 223encryptionCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CryptDestroy$DispatcherExceptionUser
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2357493748-0
                                                                                                                                                                                                                  • Opcode ID: a5716e5b9f6fda1438ad56888fbb9c028fcc21ac7dd56e91b602d6ff53f01814
                                                                                                                                                                                                                  • Instruction ID: 37cc26e15db87ac61535aa011d54f09fb27b33066295bacdc9097a6681d8673f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5716e5b9f6fda1438ad56888fbb9c028fcc21ac7dd56e91b602d6ff53f01814
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12A118745091849FE741EFBCD544F6D7FF1AB4A201F0284ACECC68B3A6CA389A54DB52
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000816B0 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 283processCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                                                                                  • String ID: '&e{$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe$D$D$ridding
                                                                                                                                                                                                                  • API String ID: 963392458-4294493744
                                                                                                                                                                                                                  • Opcode ID: 2dc7a492eabe6f2045ff69e9092e7830e7127917a58209c23f2ed46cb64beba5
                                                                                                                                                                                                                  • Instruction ID: 1956284395f0af8bbf9ece51c0bf72a9e2213b2be26b4ee3ef3ff2db674540b7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dc7a492eabe6f2045ff69e9092e7830e7127917a58209c23f2ed46cb64beba5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3E1E0B4904218CFDB14EF68C984B9DBBF0BF48318F1085A9E499A7341D7759986CF92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A1799 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4b962fd2f26cbe9330b84746a34536717462ca516e50708ed7db7ba45343a6a2
                                                                                                                                                                                                                  • Instruction ID: 4c9a44faa559cb1375aa249e51ba4fd7ca135957292ee89b07efb91b809ac3ed
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b962fd2f26cbe9330b84746a34536717462ca516e50708ed7db7ba45343a6a2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38E0B672A15228EBCB15DBD8894598AB2FCEB46B51B1544A6B501D3111D270DE00CBD0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009B22E Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0523fb0726a566bfb54c014a075df250484c1fd338f8f46bb51b090e01eeff2c
                                                                                                                                                                                                                  • Instruction ID: 3160bc108ff468b712de6fa247ce79eeb35769dd46b68ee941ee29ba16d99ef2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0523fb0726a566bfb54c014a075df250484c1fd338f8f46bb51b090e01eeff2c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38C08C34400B0086CE698B5093713FC33AAE3A37D2F80288CC4120BA52C61E9C86E600
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A3019 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 57 a3019-a3025 58 a30b7-a30ba 57->58 59 a302a-a303b 58->59 60 a30c0 58->60 62 a3048-a3061 LoadLibraryExW 59->62 63 a303d-a3040 59->63 61 a30c2-a30c6 60->61 66 a3063-a306c GetLastError 62->66 67 a30c7-a30d7 62->67 64 a30e0-a30e2 63->64 65 a3046 63->65 64->61 69 a30b4 65->69 70 a306e-a3080 call a0da8 66->70 71 a30a5-a30b2 66->71 67->64 68 a30d9-a30da FreeLibrary 67->68 68->64 69->58 70->71 74 a3082-a3094 call a0da8 70->74 71->69 74->71 77 a3096-a30a3 LoadLibraryExW 74->77 77->67 77->71
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,2792C724,?,000A3126,000835F2,?,?,00000000), ref: 000A30DA
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                                  • Opcode ID: 81d42fa776aedd7f6e54e092c25a34539ed29ddb6a9ea567a6ae0b4cdaebf4cf
                                                                                                                                                                                                                  • Instruction ID: 36d0ec8a1efbf000fe48e0af82399deaa37d5c15920e5e48bdadb7e6b3d41647
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81d42fa776aedd7f6e54e092c25a34539ed29ddb6a9ea567a6ae0b4cdaebf4cf
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE21D071A01211ABEB719BE5DC55EAA77A89F437A0F250120FE05E7291EB34EF00C7E0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009681A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0009677B: GetModuleHandleExW.KERNEL32(00000002,00000000,?,?,?,000967CD,?,?,0009680E,?,?,?,?,?,?,?), ref: 00096787
                                                                                                                                                                                                                  • __Mtx_unlock.LIBCPMT ref: 00096860
                                                                                                                                                                                                                  • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,2792C724,?,?,?,000AEE24,000000FF), ref: 00096888
                                                                                                                                                                                                                  • __Mtx_unlock.LIBCPMT ref: 000968C3
                                                                                                                                                                                                                  • __Cnd_broadcast.LIBCPMT ref: 000968D4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 420990631-0
                                                                                                                                                                                                                  • Opcode ID: a0842af68ffe29cc17bf5a21d5f7b243784b0368ec02a3109cbf554da027d989
                                                                                                                                                                                                                  • Instruction ID: 669a65f56f3a88da9748ef663692b5f30058a0d6fb290676cee01262fb37df55
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0842af68ffe29cc17bf5a21d5f7b243784b0368ec02a3109cbf554da027d989
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC110832604604ABCE117FA0DC01EAFB7E8EF45B60F10852AF90593692DF3BD801E7A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A7DA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 112 a7da9-a7dc8 113 a7dce-a7dd0 112->113 114 a7fa2 112->114 115 a7dfc-a7e22 113->115 116 a7dd2-a7df1 call 9ac6a 113->116 117 a7fa4-a7fa8 114->117 118 a7e28-a7e2e 115->118 119 a7e24-a7e26 115->119 125 a7df4-a7df7 116->125 118->116 121 a7e30-a7e3a 118->121 119->118 119->121 123 a7e4a-a7e55 call a792d 121->123 124 a7e3c-a7e47 call a881c 121->124 130 a7e97-a7ea9 123->130 131 a7e57-a7e5c 123->131 124->123 125->117 132 a7efa-a7f1a WriteFile 130->132 133 a7eab-a7eb1 130->133 134 a7e5e-a7e62 131->134 135 a7e81-a7e95 call a74f3 131->135 136 a7f1c-a7f22 GetLastError 132->136 137 a7f25 132->137 139 a7ee8-a7ef3 call a79ab 133->139 140 a7eb3-a7eb6 133->140 141 a7f6a-a7f7c 134->141 142 a7e68-a7e77 call a78c5 134->142 151 a7e7a-a7e7c 135->151 136->137 144 a7f28-a7f33 137->144 157 a7ef8 139->157 145 a7eb8-a7ebb 140->145 146 a7ed6-a7ee6 call a7b6f 140->146 147 a7f7e-a7f84 141->147 148 a7f86-a7f98 141->148 142->151 152 a7f9d-a7fa0 144->152 153 a7f35-a7f3a 144->153 145->141 154 a7ec1-a7ecc call a7a86 145->154 162 a7ed1-a7ed4 146->162 147->114 147->148 148->125 151->144 152->117 158 a7f68 153->158 159 a7f3c-a7f41 153->159 154->162 157->162 158->141 163 a7f5a-a7f63 call 9fe12 159->163 164 a7f43-a7f55 159->164 162->151 163->125 164->125
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A74F3: GetConsoleOutputCP.KERNEL32(2792C724,?,00000000,?), ref: 000A7556
                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,?,?,0009E34C,?), ref: 000A7F12
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0009E34C,?,{,00000000,?,00000000,0009E17B,?,?,?,000BDF78,0000002C,0009E24C,?), ref: 000A7F1C
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                  • String ID: L
                                                                                                                                                                                                                  • API String ID: 2915228174-864600647
                                                                                                                                                                                                                  • Opcode ID: 49e67fb9ed954d50c37ef9809ac9759433465d72f626b44c4d485fa019fff0b2
                                                                                                                                                                                                                  • Instruction ID: 90c1de8e82618034f72e4ea0b0bfb5deacae3e0cd448ba0ef7e2e209108cd246
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49e67fb9ed954d50c37ef9809ac9759433465d72f626b44c4d485fa019fff0b2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2618171D08249AFDF11CFE8CC84AEE7BB9AF5A304F148095E808A7252D735DE01CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00083A50 Relevance: 4.6, APIs: 3, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 167 83a50-83ad5 call 94d11 call 841f0 call 84250 175 83adb-83adf 167->175 176 83b80-83ba2 call 94d69 167->176 178 83af0-83afd call 84300 175->178 179 83ae5-83aeb 175->179 183 83b02-83b10 178->183 181 83b7b 179->181 181->176 185 83b20-83b76 call 84460 call 94eda call 844a0 call 844d0 183->185 186 83b16-83b1b call 84430 183->186 185->181 186->185
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00083A8D
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::_Lockit.LIBCPMT ref: 00084214
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0008423F
                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00083B46
                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00083B89
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 459529453-0
                                                                                                                                                                                                                  • Opcode ID: a51db4b8433eae29836096fbca242fca162f858277f78cecd6ec78daacb157a9
                                                                                                                                                                                                                  • Instruction ID: 2db0c810cd5f626be7636c6d2ec63a72f31d8d38256d15a8e41f5d223e0b3bb0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a51db4b8433eae29836096fbca242fca162f858277f78cecd6ec78daacb157a9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4941A2B4E01209DFCB14EFA8D995AEDBBF0BB48710F104129E856A7351D734AA44CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009B1BA Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 199 9b1ba-9b1c6 call 9b22e 202 9b1d8-9b1e4 call 9b250 ExitProcess 199->202 203 9b1c8-9b1d2 GetCurrentProcess TerminateProcess 199->203 203->202
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0009B1B4,00000000,0009AAEA,?,?,2792C724,0009AAEA,?), ref: 0009B1CB
                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0009B1B4,00000000,0009AAEA,?,?,2792C724,0009AAEA,?), ref: 0009B1D2
                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0009B1E4
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                  • Opcode ID: 16a28e4a75ebdc88e1220823cc4e644e7a78b8569d1db4558cc1d6ef8e853b5b
                                                                                                                                                                                                                  • Instruction ID: 8194daf3afd1b8dc5d293b87efd48b0c1c693a22b7f5d1abb8b2f86e8bbb1e45
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16a28e4a75ebdc88e1220823cc4e644e7a78b8569d1db4558cc1d6ef8e853b5b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAD09E31000509ABDF513FA0ED0DCAE3F65EF417517504020B91999073DB759996EB40
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00081A06 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35threadinjectionprocessCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 206 81a06-81a0e 208 81a13-81a1a 206->208 209 81a4a 208->209 210 81a20-81a40 CreateProcessW 208->210 211 81a54-81a6a 209->211 218 817f3 210->218 219 81b95-81ba8 210->219 213 81a70-81aed WriteProcessMemory 211->213 214 81af2-81b8b WriteProcessMemory Wow64SetThreadContext call 814e0 ResumeThread 211->214 213->211 214->219 220 817f9 218->220 221 81801-8181c call 814e0 218->221 220->221 222 817ff 220->222 225 8182a-8189f VirtualAllocEx call 814e0 * 2 221->225 226 81822 221->226 222->221 232 818ad-818c8 Wow64GetThreadContext 225->232 233 818a5 225->233 226->225 227 81828 226->227 227->225 234 818ce-818d1 232->234 235 81b90 232->235 233->232 236 818ab 233->236 237 818d9-81a45 call 814e0 ReadProcessMemory VirtualAllocEx call 814e0 call 81f40 call 82430 WriteProcessMemory 234->237 238 818d7 234->238 235->219 236->232 237->208 238->237
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessW.KERNELBASE ref: 000817E1
                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE ref: 00081AD9
                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE ref: 00081B2D
                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32 ref: 00081B5A
                                                                                                                                                                                                                  • ResumeThread.KERNELBASE ref: 00081B86
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 00081790
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process$MemoryThreadWrite$ContextCreateResumeWow64
                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                                  • API String ID: 2015093061-448403072
                                                                                                                                                                                                                  • Opcode ID: 4373cb918854bc66b695f4ffa2f0aaf0f691392deb89aebb2e901cdb2d52f624
                                                                                                                                                                                                                  • Instruction ID: f7c048b7e87ce3ad8c3bd17e04b780afecc66e60182535f36d4063af2c0f1b08
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4373cb918854bc66b695f4ffa2f0aaf0f691392deb89aebb2e901cdb2d52f624
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2901E9B0809705CBDB24EF64D85839EBBF4FF48315F108A5DE09996280D7798689CF87
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A79AB Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 250 a79ab-a7a00 call ae5d0 253 a7a02 250->253 254 a7a75-a7a85 call 9231c 250->254 256 a7a08 253->256 258 a7a0e-a7a10 256->258 259 a7a2a-a7a4f WriteFile 258->259 260 a7a12-a7a17 258->260 263 a7a6d-a7a73 GetLastError 259->263 264 a7a51-a7a5c 259->264 261 a7a19-a7a1f 260->261 262 a7a20-a7a28 260->262 261->262 262->258 262->259 263->254 264->254 265 a7a5e-a7a69 264->265 265->256 266 a7a6b 265->266 266->254
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,?,000A7EF8,?,?,?,00000000,?,?), ref: 000A7A47
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,000A7EF8,?,?,?,00000000,?,?,?,00000000,?,?,00000000,?,?,0009E34C), ref: 000A7A6D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 442123175-0
                                                                                                                                                                                                                  • Opcode ID: 21920fe48b37bdabcb11a955ac284a0b967f4ddb02cc8c139e3643cb8f3ae7bd
                                                                                                                                                                                                                  • Instruction ID: d772882e291e0d0759711277e50badbb9a60f15780edb9989249ba7aa88c3fca
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21920fe48b37bdabcb11a955ac284a0b967f4ddb02cc8c139e3643cb8f3ae7bd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C21A331A04219AFCF19CF69DD809EDB7F9EF99301F1480A9E90AD7211D630DE46CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00084560 Relevance: 3.1, APIs: 2, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 000845A4
                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0008461E
                                                                                                                                                                                                                    • Part of subcall function 0009500C: _Yarn.LIBCPMT ref: 0009502B
                                                                                                                                                                                                                    • Part of subcall function 0009500C: _Yarn.LIBCPMT ref: 0009504F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1908188788-0
                                                                                                                                                                                                                  • Opcode ID: 38aee30ad1318b9ed154332057f1e1ddd01bb80b3b74eafd01b678583d438a21
                                                                                                                                                                                                                  • Instruction ID: 68c475a68df132adf0a37e8db46e008b6e1e057e7a6f60b6ad2dda312b3f3518
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38aee30ad1318b9ed154332057f1e1ddd01bb80b3b74eafd01b678583d438a21
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 573109B0D00249CFCB18EFA8D8416EEBBB1FF49314F04452DE5456B342DB399954CBA5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A369E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 292 a369e-a36a3 293 a36a5-a36bd 292->293 294 a36cb-a36d4 293->294 295 a36bf-a36c3 293->295 296 a36e6 294->296 297 a36d6-a36d9 294->297 295->294 298 a36c5-a36c9 295->298 302 a36e8-a36f5 GetStdHandle 296->302 300 a36db-a36e0 297->300 301 a36e2-a36e4 297->301 299 a3740-a3744 298->299 299->293 305 a374a-a374d 299->305 300->302 301->302 303 a3722-a3734 302->303 304 a36f7-a36f9 302->304 303->299 307 a3736-a3739 303->307 304->303 306 a36fb-a3704 GetFileType 304->306 306->303 308 a3706-a370f 306->308 307->299 309 a3711-a3715 308->309 310 a3717-a371a 308->310 309->299 310->299 311 a371c-a3720 310->311 311->299
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 000A36EA
                                                                                                                                                                                                                  • GetFileType.KERNELBASE(00000000), ref: 000A36FC
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileHandleType
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                                                                                                  • Opcode ID: 3e9051131805181ec8d7bf01e49331a57af97dfda9476ede8e964c95ef1707c1
                                                                                                                                                                                                                  • Instruction ID: 801f6ca730ebd25e85561c7335547e05acc18f1a40712f8cbae31eb0d4d76f4a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e9051131805181ec8d7bf01e49331a57af97dfda9476ede8e964c95ef1707c1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F011D6F150874156DB704ABE8C8863BBAD5A797330B38071AF0B6876F1C734DE86D240
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00081F40 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 312 81f40-81fb2 call 9a950 call 838f0 317 81fb8-81fd8 call 838f0 312->317 318 81fe3-81fed 312->318 326 81fde 317->326 327 81ff2-82015 call 838f0 317->327 319 8201a-82041 call 83910 call 83a30 318->319 331 82055-820af call 83bf0 call 83a50 call 83c20 call 83c70 319->331 332 82047-82050 319->332 326->318 327->319 348 82169 331->348 349 820b5 331->349 333 82342-82390 call 83e20 call 83e70 332->333 351 8216e-82177 348->351 350 820ba-820c6 349->350 352 820cc-82139 call 83cc0 call 83d70 call 83ce0 call 83d90 call 83c90 350->352 353 82164 350->353 354 8217d-8218c 351->354 355 8218f-82194 351->355 397 8213f-8215f 352->397 398 82144-8214d 352->398 353->348 354->355 357 8219a-8224d 355->357 358 8219f-821e4 call 83cc0 call 83da0 call 83ce0 355->358 363 82253 357->363 364 82307-8233b call 83dd0 357->364 383 821e9-8221a call 83d90 call 83c90 358->383 368 82258-82264 363->368 364->333 372 8226a-822d7 call 83cc0 call 83d70 call 83ce0 call 83d90 call 83c90 368->372 373 82302 368->373 409 822dd-822fd 372->409 410 822e2-822eb 372->410 373->364 403 82220 383->403 404 82225-8222b 383->404 397->350 398->353 406 8222e-82244 403->406 404->406 406->351 409->368 410->373
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: _strlen
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4218353326-0
                                                                                                                                                                                                                  • Opcode ID: 279271cf218d4a5e64b476760aae58a51e2197e098d52281b19bf2aae5863f79
                                                                                                                                                                                                                  • Instruction ID: 9e22dfc142dfa54d4c2e384608328082cc89e619cd3ed10770da6cb8b1997f94
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 279271cf218d4a5e64b476760aae58a51e2197e098d52281b19bf2aae5863f79
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FD1F474604B40DFC724EF28C595A6ABBE0BF58714B108A1DE8D78BBA2D735FA44CB41
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A1558 Relevance: 1.7, APIs: 1, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 412 a1558-a1579 call 92170 415 a157b 412->415 416 a1593-a1596 412->416 417 a157d-a1583 415->417 418 a15b4-a15c0 call a1271 415->418 416->418 419 a1598-a159b 416->419 421 a15a7-a15b2 call a14a9 417->421 422 a1585-a1589 417->422 430 a15ca-a15d6 call a14eb 418->430 431 a15c2-a15c5 418->431 419->421 423 a159d-a15a0 419->423 434 a15f2-a15fb 421->434 422->418 426 a158b-a158f 422->426 427 a15d8-a15e8 call 9fe49 call 9ace7 423->427 428 a15a2-a15a5 423->428 426->427 432 a1591 426->432 427->431 428->421 428->427 430->427 445 a15ea-a15ef 430->445 435 a1727-a1736 431->435 432->421 438 a1608-a1618 434->438 439 a15fd-a1605 call 9f438 434->439 443 a161a-a162b 438->443 444 a162e-a163c 438->444 439->438 443->444 448 a163e-a1640 444->448 449 a16af-a16bf call a16e4 444->449 445->434 451 a1646-a1648 448->451 452 a1737-a1739 448->452 460 a16c1-a16c3 449->460 461 a1725 449->461 454 a164a-a164d 451->454 455 a1654-a1663 451->455 456 a173b-a1742 call 9f480 452->456 457 a1743-a1757 call 9b2ff 452->457 454->455 462 a164f-a1652 454->462 463 a16a5-a16ad 455->463 464 a1665-a1675 call a1120 * 2 455->464 456->457 477 a1789-a1794 call 9fe49 457->477 478 a1759-a175b 457->478 467 a16f3-a16fc 460->467 468 a16c5-a16d9 call a1120 460->468 461->435 462->455 469 a167c-a1681 462->469 463->449 464->469 486 a16fe-a1701 467->486 468->486 469->463 471 a1683-a1693 469->471 476 a1695-a169a 471->476 476->449 482 a169c-a16a3 476->482 493 a1796-a1798 477->493 484 a175d-a175e 478->484 485 a1774-a1785 RtlAllocateHeap 478->485 482->476 484->485 488 a1760-a1767 call 9d620 485->488 489 a1787 485->489 491 a170d-a1718 486->491 492 a1703-a1706 486->492 488->477 500 a1769-a1772 call 9adf2 488->500 489->493 491->461 497 a171a-a1722 call a1120 491->497 492->491 496 a1708-a170b 492->496 496->461 496->491 497->461 500->477 500->485
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 06aeefd1b85e1e9d998eec310b6867be6776af32210210aead6edab63b6def3c
                                                                                                                                                                                                                  • Instruction ID: 9a27eb2d1901f577f9cc673672ee7aa78d906be73c3189de5ab2e08bbc0fb954
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06aeefd1b85e1e9d998eec310b6867be6776af32210210aead6edab63b6def3c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18510172D042158FEF64ABE8D8847FDB7F0AF5B364F190129E552AB292D7318C00CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00093065 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 504 93065-93084 505 9308a-93092 504->505 506 93086-93088 504->506 508 93094-9309e 505->508 509 930b7-930bb 505->509 507 930e6-930f3 call 9231c 506->507 508->509 511 930a0-930b2 508->511 512 930bd-930cc call 92ce3 509->512 513 930e0 509->513 516 9316d-93170 511->516 519 930ce-930d1 512->519 520 930f6-9312b 512->520 514 930e5 513->514 514->507 516->514 521 930d2 call 9254e 519->521 526 9312d-93130 520->526 527 93140-93148 520->527 524 930d7-930de 521->524 524->513 524->514 526->527 530 93132-93136 526->530 528 9314a-9315b call 9eba4 527->528 529 9315d-93167 527->529 528->513 528->529 529->513 529->516 530->513 531 93138-9313e 530->531 531->521
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Fputc
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3078413507-0
                                                                                                                                                                                                                  • Opcode ID: f1e1829e0d3466d9d7d40e5d3b2c50f64f4c543ed441ed123b08c2021ed8786b
                                                                                                                                                                                                                  • Instruction ID: 1e550cd5974db8c5eb0dfa2945065dd7abe9d276e88d16f0e5ec0a7adf7a4c79
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1e1829e0d3466d9d7d40e5d3b2c50f64f4c543ed441ed123b08c2021ed8786b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4317231A0011AABCF24DFA9C5609EEB7F8BF48354B144569E501E7650EB32EA54EF90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A30E4 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 534 a30e4-a310c 535 a310e-a3110 534->535 536 a3112-a3114 534->536 537 a3163-a3166 535->537 538 a311a-a3121 call a3019 536->538 539 a3116-a3118 536->539 541 a3126-a312a 538->541 539->537 542 a3149-a3160 541->542 543 a312c-a313a GetProcAddress 541->543 544 a3162 542->544 543->542 545 a313c-a3147 call 9b019 543->545 544->537 545->544
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: e872682ef3fa138a032292c98c7415d822824e3145f7f736b7a5667981b6890c
                                                                                                                                                                                                                  • Instruction ID: 100fb64ad1625cda8410c69a1c218e6ccf81bece815727ed015243b4dfc288a9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e872682ef3fa138a032292c98c7415d822824e3145f7f736b7a5667981b6890c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA01B5376102115FAB258FADFD419AB33D6ABC67607148124F905CB194DB359901A790
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A17CA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,00000000,?,?,000A12BE,00000001,00000364,?,00000006,000000FF,?,?,0009FE4E,000A178E,00000000), ref: 000A180B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                  • Opcode ID: 6d30262b13e0fef17c6c1923ff8c11aca91cbd5f4bffc7f924a58245d0013a2c
                                                                                                                                                                                                                  • Instruction ID: faabc8f32f9f501a13a781e842b1de9adb70f08bc405b93ad5f000512f230f11
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d30262b13e0fef17c6c1923ff8c11aca91cbd5f4bffc7f924a58245d0013a2c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCF0E9326045256B9F715BE69C05BEE77DC9F43B60F14C126E954D6091CF38DC0196F1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000926C2 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: H_prolog3
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 431132790-0
                                                                                                                                                                                                                  • Opcode ID: 146db756798e617de0e8d2bb33a51d76a7e2cad35e84b0e3ec82c6401b242580
                                                                                                                                                                                                                  • Instruction ID: 641eef12bb4bd94f9259816efda13a476d095edc33246ad93582a19916a4e6f7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 146db756798e617de0e8d2bb33a51d76a7e2cad35e84b0e3ec82c6401b242580
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8201E8B4A00745CFCB61DF68C580A9ABBF0BF08304B50891EE489DB741E7B1EA44CF80
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A174B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0009169D,?,?,000835F2,00000000,?,0008352E), ref: 000A177D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                  • Opcode ID: bb7762401147f4c70e0fddb61c4b5382c6f6b6987d12fac555b11c150caea0f8
                                                                                                                                                                                                                  • Instruction ID: 4fb524617a5e5a02cc96ad7424ac80ea82b25e235139028348bcf282f7fcebeb
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb7762401147f4c70e0fddb61c4b5382c6f6b6987d12fac555b11c150caea0f8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46E0ED352082229AEB7026E6AC04BEE76BC9F833A0F141221ED26920D1CA20CC4092E1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009301B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • std::ios_base::_Init.LIBCPMT ref: 00093021
                                                                                                                                                                                                                    • Part of subcall function 00092C3D: __EH_prolog3.LIBCMT ref: 00092C44
                                                                                                                                                                                                                    • Part of subcall function 00092C3D: std::locale::_Init.LIBCPMT ref: 00092C8D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Init$H_prolog3std::ios_base::_std::locale::_
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2854901245-0
                                                                                                                                                                                                                  • Opcode ID: 4b93a0d8f4398604008c618370c4c9ea5dc19b312bab8578cab4cf62148471ca
                                                                                                                                                                                                                  • Instruction ID: 5589b03a1794696c0860d6b45882c71af5b33c766bde893f51b374cd2793cd8b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b93a0d8f4398604008c618370c4c9ea5dc19b312bab8578cab4cf62148471ca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63F0E5306007146BDB30B6758455B8B77D4AF00334F00881EF48247A82DAB6F4408F94
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0008F610 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0008F631
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                                                                  • Opcode ID: 3864e6731067c9ddf47fbad72b4bc3454b06bb88b51078060ad0fb35b00bb120
                                                                                                                                                                                                                  • Instruction ID: 6e4e1508d40c355ed8099d37a2b3c7d3953883510921f98dfca5db691d81ce32
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3864e6731067c9ddf47fbad72b4bc3454b06bb88b51078060ad0fb35b00bb120
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FDE04670C04208EFCB44FBB5D1458ACBBB4BF40310F2040B9E999A7367EA319E25DB42
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00088A60 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00088A81
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 118556049-0
                                                                                                                                                                                                                  • Opcode ID: 7b77bb9c90f107982e3fc63dfe5d9a1053ed0cb31bb63efbdf9f80ec20138404
                                                                                                                                                                                                                  • Instruction ID: b62eedf076881a94d3a7cb83d08cb6c3654514b3ca3ccb06a701e72c6e9c8195
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b77bb9c90f107982e3fc63dfe5d9a1053ed0cb31bb63efbdf9f80ec20138404
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79E04670C04208EBCB08FBA8D14589CBBB8BF40304F2080BAE99967357DA31AE00DB42
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00081680 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ConsoleFree
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 771614528-0
                                                                                                                                                                                                                  • Opcode ID: ddfd4820a71f847902e93309af009975f3eab553ab26d5fca177e264acbcfc6c
                                                                                                                                                                                                                  • Instruction ID: edbfe3e7a2443777101255b77d72067a4350d412ec0adc31584a73fdac4bb459
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddfd4820a71f847902e93309af009975f3eab553ab26d5fca177e264acbcfc6c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31D09E749042049BC700FFA8944149E77A86F44250F558175D49C87616E63495528B93
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 000A5D94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,000A60B2,00000002,00000000,?,?,?,000A60B2,?,00000000), ref: 000A5E2D
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,000A60B2,00000002,00000000,?,?,?,000A60B2,?,00000000), ref: 000A5E56
                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,000A60B2,?,00000000), ref: 000A5E6B
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                                  • Opcode ID: baafce104a03e4700485a982110a309b1e368aa3cba2ec1e9ec5e7931d8180f9
                                                                                                                                                                                                                  • Instruction ID: 6224661e4e9c669538a1761058ffc354fa03377846fe2243e6db97b2d9787c51
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: baafce104a03e4700485a982110a309b1e368aa3cba2ec1e9ec5e7931d8180f9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E921B632700901A6EB78CFD4CD05A9B73E6BF66B62B564025E90ADB111FB32DF40C350
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A5F69 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 000A6075
                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 000A60BE
                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 000A60CD
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 000A6115
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 000A6134
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 415426439-0
                                                                                                                                                                                                                  • Opcode ID: 8c2dde566ef5b9f3b44971f9665b36096071e0bb618af2398b5209a7a9c977f1
                                                                                                                                                                                                                  • Instruction ID: fb6f66e70835f4d4fce03262b549ef3a4c119cf78f47c08cbcb6cf97e9614e33
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c2dde566ef5b9f3b44971f9665b36096071e0bb618af2398b5209a7a9c977f1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6517F71A00605AEEB20DFE4CC41EFF77F8BF4A701F184529A911E7192EB729944CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A5605 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,0009C6B4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 000A56C6
                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0009C6B4,?,?,?,00000055,?,-00000050,?,?), ref: 000A56F1
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 000A5854
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                                                                                  • String ID: utf8
                                                                                                                                                                                                                  • API String ID: 607553120-905460609
                                                                                                                                                                                                                  • Opcode ID: e5e4ff21856c359353fd6460f4549baded66113620b760f614b2aa7aaea89c66
                                                                                                                                                                                                                  • Instruction ID: ccf0e856ab62b67f8b5ed332a7e7e90bfa5dffb28dd6063be4ec3f00d364dc52
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5e4ff21856c359353fd6460f4549baded66113620b760f614b2aa7aaea89c66
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2571D675604B02AADB24ABF5DC86BEE73ECFF46701F144469F905EB182EA74D9408660
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00091DAF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00091DBB
                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00091E87
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00091EA7
                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00091EB1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                  • Opcode ID: 2015c5336ef038d161e0438a2f7a5e570bccdbde069348903b2636a1655be76e
                                                                                                                                                                                                                  • Instruction ID: cc9b1f00d04992d1fd0386bf4621b7ff454aa38cc43371a310f38c31781ec47c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2015c5336ef038d161e0438a2f7a5e570bccdbde069348903b2636a1655be76e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED313675D0521DDBEF20DFA0D989BCCBBF8AF08300F1040AAE44CAB251EB749A859F44
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A5A18 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000A5A6C
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000A5AB6
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000A5B7C
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 661929714-0
                                                                                                                                                                                                                  • Opcode ID: 3beb6eae9f9fe31164cc8e10be6803b01ae961fc178c479f496e5b4bc9e4b455
                                                                                                                                                                                                                  • Instruction ID: 547493dee4041a4fd4a8d654e51975510432a4e882448522b3ce6afa9160bbbd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3beb6eae9f9fe31164cc8e10be6803b01ae961fc178c479f496e5b4bc9e4b455
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB617E71510A179FDB689FA8CC86BAAB3E8FF16312F104179E905C6286F739D941CB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009AAEB Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0009ABE3
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0009ABED
                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0009ABFA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                  • Opcode ID: 8e013d8b48611a5b4c5f54086b97b17af57f70cd0b947536bc4de188ced475d2
                                                                                                                                                                                                                  • Instruction ID: 8b088839e640e14ddf7ae2c0d3c606c35355457ea5353fb6eb9499a07022defe
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e013d8b48611a5b4c5f54086b97b17af57f70cd0b947536bc4de188ced475d2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B331D4759012199BCF21DF64D988BDCBBB8BF08310F5041EAE41CA7252E7749F819F45
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A58F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(000A5A18,00000001,00000000,?,-00000050,?,000A6049,00000000,?,?,?,00000055,?), ref: 000A5964
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                  • String ID: I`
                                                                                                                                                                                                                  • API String ID: 2417226690-86175204
                                                                                                                                                                                                                  • Opcode ID: 3ced99f42981f7abb26daaadb980ada351e3d3e9edad717ab06b5ff54f0b507d
                                                                                                                                                                                                                  • Instruction ID: c7d60e163afd545b977bc53d14892b52f7033c90a6dd31228e24f21625059900
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ced99f42981f7abb26daaadb980ada351e3d3e9edad717ab06b5ff54f0b507d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8311E936200B059FDB189F79CC915BFB791FF8536AB14452CE9864B741D3716942C740
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A3E97 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 005c214c56806416f91c6be0a011adc87ba1c46b78715c3607e14634345c34c6
                                                                                                                                                                                                                  • Instruction ID: 93f7a0f4b5c4844346be399dd35f4f8c779c3ef1366f3b5960946b33d7b6b972
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 005c214c56806416f91c6be0a011adc87ba1c46b78715c3607e14634345c34c6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFC13376E40205AFDB20DBE8CC82FEE77F8AF59700F144565FA05EB286D6709D418BA4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00091F81 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00091F97
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                                                                  • Opcode ID: 7959cebb567a48f24f5cabff8f232c53f40680b46b1e61670b2b1a3386eeac62
                                                                                                                                                                                                                  • Instruction ID: 5a2a27a275993d54493e629ee287b089e1bdfe12ee4d1423f865b5502f3618e9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7959cebb567a48f24f5cabff8f232c53f40680b46b1e61670b2b1a3386eeac62
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD51AF71A012059FEF58CF64E981BAEBBF1FB48310F24802AD509EB361E7799954DB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A5C6B Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000A5CBF
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                  • Opcode ID: 99726474e1e47d79101a6006f9589c83adc91b6cad64dbbe48a97567ea1fbb83
                                                                                                                                                                                                                  • Instruction ID: 8b475728b4f42bb1e8a9cb097907a1156bf0552f9bca5b378d1aad80ff877db8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99726474e1e47d79101a6006f9589c83adc91b6cad64dbbe48a97567ea1fbb83
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27218072610606ABDB289BA5DC46EFE73E8FF56311F10007AFD06DA146EB75AD40CB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A5E9A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,000A5C34,00000000,00000000,?), ref: 000A5EC6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                  • Opcode ID: 8342b659d008cdd1effec057f512caeffe4724f33e2b9eb7c5ba86c7409cc829
                                                                                                                                                                                                                  • Instruction ID: 98a4af49be51d74b483c6d1ca6e3c068162439d865197ae3bdc1f51f72f7e730
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8342b659d008cdd1effec057f512caeffe4724f33e2b9eb7c5ba86c7409cc829
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0A936600511BFDB2896A4CC0ABFB7798FB41755F194434ED06A3181FA74FE41C590
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A598D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(000A5C6B,00000001,?,?,-00000050,?,000A600D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 000A59D7
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                  • Opcode ID: 76d47ad3ccb69710ea112c6d867a82deb4e5f787b942ade9c5a78360d9ed123e
                                                                                                                                                                                                                  • Instruction ID: 6b4f4c75552b911ca0ee954021cc6ea2fdb23ad5c731e0f8232480f1049a06b5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76d47ad3ccb69710ea112c6d867a82deb4e5f787b942ade9c5a78360d9ed123e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91F0C236200B049FDB149FB5DC82ABB7B95FB82769F05442CFA464B691D6719C02CA50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A2E4D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 0009F438: EnterCriticalSection.KERNEL32(?,?,0009AE36,00000000,000BDDA8,0000000C,0009ADFD,00000000,?,000A17FD,00000000,?,000A12BE,00000001,00000364,?), ref: 0009F447
                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(000A2E40,00000001,000BE1B8,0000000C,000A3272,00000000), ref: 000A2E85
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                                                                                                  • Opcode ID: f8ad336dd846aad596ff18192ff4bb7fa8141d247311978e422cdebb2083faff
                                                                                                                                                                                                                  • Instruction ID: 54f502b746e970c39cff04c46b9e969e040c3ff6a49ebb17438b5bf42e8b65cf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8ad336dd846aad596ff18192ff4bb7fa8141d247311978e422cdebb2083faff
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0E772A40205EFEB04EF98E946BED77A0EB89721F10852AE510DB2A1CB795944DB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A58A7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A1120: GetLastError.KERNEL32(?,00000008,000A171F,00000000,0009AC68), ref: 000A1124
                                                                                                                                                                                                                    • Part of subcall function 000A1120: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 000A11C6
                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(000A5800,00000001,?,?,?,000A606B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 000A58DE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                  • Opcode ID: 371e4c4017dd839dfa655c1c09b2b84d0bce4fd8040a3e492deb99d56bce17ac
                                                                                                                                                                                                                  • Instruction ID: 35a2c273f0fe41e4768c8739930b969f98d94a38efcf3f121af736c48fe7546b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 371e4c4017dd839dfa655c1c09b2b84d0bce4fd8040a3e492deb99d56bce17ac
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0E53A70020597DB14AFB5DC456AA7F94FFC2751B464068EA058B291DA799842C790
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A3376 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0009D21A,?,20001004,00000000,00000002,?,?,0009C81C), ref: 000A33AA
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                  • Opcode ID: 2f3575c26b6f0212ffc22a62ec6942151b5334ff6b90d3bf5f0800e54d402c8c
                                                                                                                                                                                                                  • Instruction ID: d9944a0c8274e6121d3df0a0c77c75b6e6dc63fd313eb86f45cac278462bdf77
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f3575c26b6f0212ffc22a62ec6942151b5334ff6b90d3bf5f0800e54d402c8c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27E04F32504618FBCF122FF0DC04BAE7E66EF46751F004021FD0566121CB769A20AAD4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A35CD Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                  • Opcode ID: 1de8513f91103863b50a5d4d030c6815ee121c075b021c79f26ceef37152388b
                                                                                                                                                                                                                  • Instruction ID: df67e648ce197e4a68028fad8abd0ed266e6df2000c27c63784f3df3633dbb45
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1de8513f91103863b50a5d4d030c6815ee121c075b021c79f26ceef37152388b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48A00170741602CBA7648F76AA1926A3BA9AB966D1705806AE509C56A0EA3C8454EF01
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00081650 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 339d62d68fde077bdbd4d715d79dd56c6cb8eb722a501ec2f20e81a6e2c495c3
                                                                                                                                                                                                                  • Instruction ID: c075871285986240cdc92d21f031e42fac6324cdef5a2326be1b9f9213ac35a1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 339d62d68fde077bdbd4d715d79dd56c6cb8eb722a501ec2f20e81a6e2c495c3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4D0923A655A58AFC210DF49E440D41F7B8FB8D670B154066EA0893B20C335FC11CAE0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000916DA Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(000F801C,00000FA0,?,?,000916B8), ref: 000916E6
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,000916B8), ref: 000916F1
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,000916B8), ref: 00091702
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00091714
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00091722
                                                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000916B8), ref: 00091745
                                                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(000F801C,00000007,?,?,000916B8), ref: 00091761
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,000916B8), ref: 00091771
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • WakeAllConditionVariable, xrefs: 0009171A
                                                                                                                                                                                                                  • kernel32.dll, xrefs: 000916FD
                                                                                                                                                                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 000916EC
                                                                                                                                                                                                                  • SleepConditionVariableCS, xrefs: 0009170E
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                  • API String ID: 2565136772-3242537097
                                                                                                                                                                                                                  • Opcode ID: bbe0a1feaea61fda581f8997e9d5f0bc073a504feb3c56c3f9873ed8d0e08b92
                                                                                                                                                                                                                  • Instruction ID: f5c5507587a903f844463be00e0a3788963a6bd45f90f36c0a728deed5ec971c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbe0a1feaea61fda581f8997e9d5f0bc073a504feb3c56c3f9873ed8d0e08b92
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0014C35B45A13ABFA601BA4AD4DEFA66B8AB45B91B040120FA04DA551DE78C805BA60
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009621D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153threadCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00096245
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00096262
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00096283
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00096306
                                                                                                                                                                                                                  • __Xtime_diff_to_millis2.LIBCPMT ref: 0009631E
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0009634A
                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00096390
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentThread$Xtime_diff_to_millis2
                                                                                                                                                                                                                  • String ID: jd
                                                                                                                                                                                                                  • API String ID: 1280559528-3259793891
                                                                                                                                                                                                                  • Opcode ID: ecfc2168f0af675e863c397ec50ae0fbdb9167a85650fdf96f1f6fc2e6ad4db1
                                                                                                                                                                                                                  • Instruction ID: fc7b575c301066a10aba213095d78219bc390d82063c7dc57bff8d63095ee21d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecfc2168f0af675e863c397ec50ae0fbdb9167a85650fdf96f1f6fc2e6ad4db1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E517D71900A16CBCF20DF64C9859ADB7F1FF09710B258469E846AB292C772EE45EF90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00096FB3 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00096FB9
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00096FC7
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00096FD8
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00096FE9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                  • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                  • API String ID: 667068680-1247241052
                                                                                                                                                                                                                  • Opcode ID: 73cf43edf0dfb3645e349628d9983d583bde3df5d70d1e85ae2940d6b4e425d4
                                                                                                                                                                                                                  • Instruction ID: 35cbe34dabe1d678c4469f03514c0b9f51944a967de9bb6e51a9864e5aa31cd0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 73cf43edf0dfb3645e349628d9983d583bde3df5d70d1e85ae2940d6b4e425d4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7E0EC7AA56611AFA7006FB0BC0DCE73FF8EB467D23444275F605EA661EB780442CB64
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000999B4 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00099AD3
                                                                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 00099BE1
                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00099D33
                                                                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00099D4E
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                  • API String ID: 2751267872-393685449
                                                                                                                                                                                                                  • Opcode ID: 0fd4e33a25d2c83249b9de1f065d3a84f5a4d8564ea15c7188798345f0aff432
                                                                                                                                                                                                                  • Instruction ID: 99de1e7e266f57fe12ce2b189b8e6483d789690998403bde570da3dcc94aac22
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fd4e33a25d2c83249b9de1f065d3a84f5a4d8564ea15c7188798345f0aff432
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACB16571801209EFCF29DFA8C9819EEBBB5FF14310F15815EE8116B212D771DA51EBA2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A8E14 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 0-3907804496
                                                                                                                                                                                                                  • Opcode ID: 86b7b766704b56ac0d15ce2c424de49a55ea7c68a1f47936319251248c3d587a
                                                                                                                                                                                                                  • Instruction ID: a0c6fb08a126cf72591deadac134db2f5925a547d8bb0ca30a47129b9b1e4d27
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86b7b766704b56ac0d15ce2c424de49a55ea7c68a1f47936319251248c3d587a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CB1D070B00206AFDF11DFE9C884BBE7BF1AF86340F148169E501AB292CB759D42CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000AD637 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 127012223-0
                                                                                                                                                                                                                  • Opcode ID: a804f7c592483ca293e81208851b069228c1c178fb077e4ac7bd70b2a66bda62
                                                                                                                                                                                                                  • Instruction ID: b1cc12655c9e0ae95d810ade91e0097dc9c3abd5525d0151e312b303ad045143
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a804f7c592483ca293e81208851b069228c1c178fb077e4ac7bd70b2a66bda62
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B71D672904205ABDF259FE48C81BEE77F5AF47310F290157F906A7692EB39DC008760
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00096DC9 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00096E12
                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00096E3E
                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00096E7D
                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00096E9A
                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00096ED9
                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00096EF6
                                                                                                                                                                                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00096F38
                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00096F5B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2040435927-0
                                                                                                                                                                                                                  • Opcode ID: ba6e57f1d2706becfb37f264789a816dc5d082b646384a7a6b6e9c86e2f133f3
                                                                                                                                                                                                                  • Instruction ID: 5cdf9c1487326ef589e6f995abb01d6614e10d0744577f3df0f2dd86574dc83b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba6e57f1d2706becfb37f264789a816dc5d082b646384a7a6b6e9c86e2f133f3
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97519B7260020AABEF209FA0EC55FAB7BF9EB44740F154139F915E6151D736DC10EBA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00097DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00097E27
                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00097E2F
                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00097EB8
                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00097EE3
                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00097F38
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                  • Opcode ID: 386005fb9da15c519c0cde3123f98f489c80fccafab7f45cad1d36a317e0605b
                                                                                                                                                                                                                  • Instruction ID: e6edbf1d6c8baa93f5a328f12dfc8d626d8f9572956526ee5f63cb12447361be
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 386005fb9da15c519c0cde3123f98f489c80fccafab7f45cad1d36a317e0605b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B241C235A14209ABCF10DF68C885AEEBBF5AF49324F1480A5E9186B392D7319D05DBD1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00099646 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0009963D,0009739B,00095F74,2792C724,?,?,?,?,000AEC4E,000000FF,?,00088E85), ref: 00099654
                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00099662
                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0009967B
                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0009963D,0009739B,00095F74,2792C724,?,?,?,?,000AEC4E,000000FF,?,00088E85), ref: 000996CD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                  • Opcode ID: a9238ec8e260899a0fb7001aa1fe3d9a7252086eafbf4ac18b7cd12adc3d3e98
                                                                                                                                                                                                                  • Instruction ID: 5902bd88e348a8cceedf90df097933aeb33ee53784c8f502bf8c6c252a2edc77
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9238ec8e260899a0fb7001aa1fe3d9a7252086eafbf4ac18b7cd12adc3d3e98
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9501D43220E3179EBE6426B9AC85ABB2AD4DF063B4B21023DF154840F3FF594C01F186
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A04D7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe, xrefs: 000A04F3
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
                                                                                                                                                                                                                  • API String ID: 0-3710601626
                                                                                                                                                                                                                  • Opcode ID: f9bc9febdb58ee9f766a5092c49e1fc98b6cb19611504f69a631f13622dd79e0
                                                                                                                                                                                                                  • Instruction ID: e0007c09ae350a1ff7c7a9b9ced80dcfda5a3690411080f2e073f7edda055b50
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9bc9febdb58ee9f766a5092c49e1fc98b6cb19611504f69a631f13622dd79e0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE21A171A00A0AAFDB20AFF1DC40DAB77E9AF463A47108525F919D7152E730ED509FA0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009B250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2792C724,?,?,00000000,000AEE24,000000FF,?,0009B1E0,?,?,0009B1B4,00000000), ref: 0009B285
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0009B297
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,000AEE24,000000FF,?,0009B1E0,?,?,0009B1B4,00000000), ref: 0009B2B9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                  • Opcode ID: af76ef31482a245c01b7903fe87593b477866fcdc69481f024cf524bc8896dfd
                                                                                                                                                                                                                  • Instruction ID: cd3a761fa9801cfd78b0aaa4291b7c08d470a378dd423b1e14d8311d21c7d48a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af76ef31482a245c01b7903fe87593b477866fcdc69481f024cf524bc8896dfd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C01623290066AEBDB118F91DD05FBEBBF8FB05B21F040625E911A6690DB789900CB90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A9C7C Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 000A9D03
                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 000A9DC4
                                                                                                                                                                                                                  • __freea.LIBCMT ref: 000A9E2B
                                                                                                                                                                                                                    • Part of subcall function 000A174B: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0009169D,?,?,000835F2,00000000,?,0008352E), ref: 000A177D
                                                                                                                                                                                                                  • __freea.LIBCMT ref: 000A9E40
                                                                                                                                                                                                                  • __freea.LIBCMT ref: 000A9E50
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1423051803-0
                                                                                                                                                                                                                  • Opcode ID: d7528982bdaad09d20eed5ed35a366bffef48d9f3b01aafb06ffbe7ebfcc0b36
                                                                                                                                                                                                                  • Instruction ID: 5abe16cafb10eb1547a6e0c60f3a08e9047e7f7652c8787a0ed4ca679baa07b6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7528982bdaad09d20eed5ed35a366bffef48d9f3b01aafb06ffbe7ebfcc0b36
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40518C7270021AAFEF219FE4DC81EEF7AE9EB46750F150528BD04DB252EA35DD5086A0
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009262D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 00092634
                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0009263E
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::_Lockit.LIBCPMT ref: 00084214
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0008423F
                                                                                                                                                                                                                  • codecvt.LIBCPMT ref: 00092678
                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0009268F
                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 000926AF
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 712880209-0
                                                                                                                                                                                                                  • Opcode ID: 9ea8a9a6fd97ebb058ea15b4925398c28058caf8753958fff915c0cb5e041d29
                                                                                                                                                                                                                  • Instruction ID: 18360f04c17ab5c511ab7ecfc71e058751c9028a261a6a336ae0dae8ed58366d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ea8a9a6fd97ebb058ea15b4925398c28058caf8753958fff915c0cb5e041d29
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0101C03590021A9BCF05BBA4D845AFEBBB5BF84710F240109E810AB293DF749E01A780
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00093905 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 0009390C
                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00093916
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::_Lockit.LIBCPMT ref: 00084214
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0008423F
                                                                                                                                                                                                                  • codecvt.LIBCPMT ref: 00093950
                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00093967
                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00093987
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 712880209-0
                                                                                                                                                                                                                  • Opcode ID: 0cd42f834b145817b3d801762d2b0c19ad39ef64d3a3330a071491e847b78622
                                                                                                                                                                                                                  • Instruction ID: 8b34872234bc611f3062d36b62f2e49026c7e8f0f135b5bdeb1a2bd993fdb285
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cd42f834b145817b3d801762d2b0c19ad39ef64d3a3330a071491e847b78622
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77018035A005168BCF05EBA4D855BFEB7A5BF84720F254509E8146B292DF749E01AB90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009A747 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0009A6F8,?,?,00000000,?,?,?,0009A822,00000002,FlsGetValue,000B2218,FlsGetValue), ref: 0009A754
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0009A6F8,?,?,00000000,?,?,?,0009A822,00000002,FlsGetValue,000B2218,FlsGetValue,?,?,00099667), ref: 0009A75E
                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000,000000FF,?,00088E85,?,?,?,00088C96), ref: 0009A786
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                  • Opcode ID: e8263164c2ff8912510957100774df9a2a7c685c3097975e78dc7d268d3fcb55
                                                                                                                                                                                                                  • Instruction ID: 56a126e54566f353edd60e9206c579c7b68ca1e83319e94e5385f7ac9dd1959f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8263164c2ff8912510957100774df9a2a7c685c3097975e78dc7d268d3fcb55
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DFE01230784209B7EE711BD0DD46F693BA99B02B54F104030FE0CA80A1E765D9509685
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A74F3 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(2792C724,?,00000000,?), ref: 000A7556
                                                                                                                                                                                                                    • Part of subcall function 000A28BD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,000A9E21,?,00000000,-00000008), ref: 000A2969
                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000A77B1
                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000A77F9
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 000A789C
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                                  • Opcode ID: 46949e42a84097b27b4d64f69bc48f607c6dc0e1efd8a3e4f349f5e4b1993206
                                                                                                                                                                                                                  • Instruction ID: 9c5ea76df2a027f45791a63fb74f4075d6bda1a2d6a07985f5486198d5969b6f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46949e42a84097b27b4d64f69bc48f607c6dc0e1efd8a3e4f349f5e4b1993206
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7D14975D042489FDF15CFE8D884AEDBBB5FF4A300F18856AE819E7352DA34A941CB50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009975D Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                  • Opcode ID: c36c2cb3b30cf6581bba5a79073801a550370d155c01e775e5dcb3f06c5ce8dc
                                                                                                                                                                                                                  • Instruction ID: e591e4e2ae2c1adde9b0c304e0fabe2ed1a0098f42025bef3597e65fb29d33dd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c36c2cb3b30cf6581bba5a79073801a550370d155c01e775e5dcb3f06c5ce8dc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC51C072A09202AFEF298F59D841BBAB3E5EF45710F14442DED094B292EB31ED40E790
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A183F Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 000A28BD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,000A9E21,?,00000000,-00000008), ref: 000A2969
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 000A18A3
                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 000A18AA
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 000A18E4
                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 000A18EB
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1913693674-0
                                                                                                                                                                                                                  • Opcode ID: 03037d144520d9c9d6ada6b3cb47b0aa2cbca0b0acdf56f8ad4ebf94efa6cb25
                                                                                                                                                                                                                  • Instruction ID: 7d1be1938ff3dd3ea8738c77178f7bcf339c41ad08130b82c3c9f58518f72caa
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03037d144520d9c9d6ada6b3cb47b0aa2cbca0b0acdf56f8ad4ebf94efa6cb25
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8821957160460AAFDF20AFE6C8818EBB7EEEF063A4B144529F915D7152DB35EC409B50
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A29AB Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 000A29B3
                                                                                                                                                                                                                    • Part of subcall function 000A28BD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,000A9E21,?,00000000,-00000008), ref: 000A2969
                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000A29EB
                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000A2A0B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 158306478-0
                                                                                                                                                                                                                  • Opcode ID: 03c3ecf25bd6f332c6d5e9c671176e5ed1dd0bed77833e59523d177f9ddaff19
                                                                                                                                                                                                                  • Instruction ID: e051c4b1815635a824075a3a0003fab201fdf071445d7dd214be1dcda56446ff
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03c3ecf25bd6f332c6d5e9c671176e5ed1dd0bed77833e59523d177f9ddaff19
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D611C4B6902916BF773167FA9D89CFF2DACDF6B794B100134F901D5102EA68CD028171
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009399A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 000939A1
                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 000939AB
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::_Lockit.LIBCPMT ref: 00084214
                                                                                                                                                                                                                    • Part of subcall function 000841F0: std::_Lockit::~_Lockit.LIBCPMT ref: 0008423F
                                                                                                                                                                                                                  • ctype.LIBCPMT ref: 000939E5
                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00093A1C
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3358926169-0
                                                                                                                                                                                                                  • Opcode ID: 1e1ab609f7efc5de1cee65739bf9f6a2561d33f3798079df1c909f32d3e15ca6
                                                                                                                                                                                                                  • Instruction ID: 2aca1cfa3418d08d5df12b84cac61af35cffdecbce79f9f8f339f266b8de4352
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e1ab609f7efc5de1cee65739bf9f6a2561d33f3798079df1c909f32d3e15ca6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAF0B43590010A9BCF44FBE0C806BFE3765AF40B20F510518F8206B1C3EF348E059B81
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000ADB65 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,000ACDDC,?,00000001,?,?,?,000A78F0,?,?,00000000), ref: 000ADB7C
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,000ACDDC,?,00000001,?,?,?,000A78F0,?,?,00000000,?,?,?,000A7E77,?), ref: 000ADB88
                                                                                                                                                                                                                    • Part of subcall function 000ADB4E: CloseHandle.KERNEL32(FFFFFFFE,000ADB98,?,000ACDDC,?,00000001,?,?,?,000A78F0,?,?,00000000,?,?), ref: 000ADB5E
                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 000ADB98
                                                                                                                                                                                                                    • Part of subcall function 000ADB10: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,000ADB3F,000ACDC9,?,?,000A78F0,?,?,00000000,?), ref: 000ADB23
                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,000ACDDC,?,00000001,?,?,?,000A78F0,?,?,00000000,?), ref: 000ADBAD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                  • Opcode ID: 1d88c2c074720c87d403b568e2595cb17f83494bd2b0082f2610d33b46740d45
                                                                                                                                                                                                                  • Instruction ID: 4e5737eb5b2e0da7940a4785dfda50f8217357ea85ad31ee3861f2772d31f0b4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d88c2c074720c87d403b568e2595cb17f83494bd2b0082f2610d33b46740d45
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F01236110155BBDF125FD5EC04E9A3F65FB463A0F014011FA1D85521C7328920DBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0009184A Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SleepConditionVariableCS.KERNELBASE(?,000917E7,00000064), ref: 0009186D
                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(000F801C,?,?,000917E7,00000064,?,000858A5,?,?,00085838,?,00085677), ref: 00091877
                                                                                                                                                                                                                  • WaitForSingleObjectEx.KERNEL32(?,00000000,?,000917E7,00000064,?,000858A5,?,?,00085838,?,00085677), ref: 00091888
                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(000F801C,?,000917E7,00000064,?,000858A5,?,?,00085838,?,00085677), ref: 0009188F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3269011525-0
                                                                                                                                                                                                                  • Opcode ID: 8379aceed7c2bbee7b3febef9dfcd466c8a6b502407138fbb8d25c4b954190d7
                                                                                                                                                                                                                  • Instruction ID: 720b955f50e2d3f3d715005ae0d2cae78f35edcba1821540ceea854ef4f1b688
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8379aceed7c2bbee7b3febef9dfcd466c8a6b502407138fbb8d25c4b954190d7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14E09231601D29FBDB612B90EC0CDFE3F29AB0A770B408030F7096A571CE684904BBE4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 000A006D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 000A00FD
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                  • Opcode ID: 9842af1ea6603b116bb57f23076448e3a4be45de733b549403884dc0187125d6
                                                                                                                                                                                                                  • Instruction ID: 866edab5f1a437b5aa2e14a3799cb5964fd774c07dd49c3dbced346363b5d4fd
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9842af1ea6603b116bb57f23076448e3a4be45de733b549403884dc0187125d6
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12517C61A1820986DB617BD4CD417FE7BD4EB53701F208E68E0D5422EBEB398C94DB47
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00099D59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,?), ref: 00099D7E
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: EncodePointer
                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                  • Opcode ID: 31709d0abd0a4490ecb4d5a334018daa9db5d06aaa48c8b1a944d194d103f796
                                                                                                                                                                                                                  • Instruction ID: 69c4413959f20d0f25290e4ebe906de6fe376526fadec0eebe02b3b445b15d82
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31709d0abd0a4490ecb4d5a334018daa9db5d06aaa48c8b1a944d194d103f796
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC414A72900209EFDF15DF98CC81AEEBBB5FF48304F158159F904A7252D3359A51EB51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00096035 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 000960BD
                                                                                                                                                                                                                  • RaiseException.KERNEL32(?,?,?,?), ref: 000960E2
                                                                                                                                                                                                                    • Part of subcall function 00097930: RaiseException.KERNEL32(E06D7363,00000001,00000003,00091DAE,?,?,?,?,00091DAE,00000000,000BBEDC,00000000), ref: 00097990
                                                                                                                                                                                                                    • Part of subcall function 0009AD9F: IsProcessorFeaturePresent.KERNEL32(00000017,0009AAEA,?,0009AA59,?,00000000,0009AC68,?,?,?,?,?,00000000,?,?,0009AD06), ref: 0009ADBB
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000003.00000002.2216650928.0000000000081000.00000020.00000001.01000000.00000006.sdmp, Offset: 00080000, based on PE: true
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216626326.0000000000080000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216686529.00000000000AF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000BF000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216710591.00000000000F5000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 00000003.00000002.2216767194.00000000000FA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_80000_2Iu7231.jbxd
                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                  • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                  • Opcode ID: 12d57c7c928eadb02208de5f94047dbdb0223da41eaae79ebfad875af5f30f3c
                                                                                                                                                                                                                  • Instruction ID: 1337045233a944eea18684a52006340aae9c03842bb479d92945c06b5a583bbe
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12d57c7c928eadb02208de5f94047dbdb0223da41eaae79ebfad875af5f30f3c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D621AC32D00218ABCF34DFE9E981AEFB7F9AF84710F540419E505AB252D772AD54EB81
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:18.9%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                  Signature Coverage:5.1%
                                                                                                                                                                                                                  Total number of Nodes:117
                                                                                                                                                                                                                  Total number of Limit Nodes:8
                                                                                                                                                                                                                  execution_graph 37992 72c76d0 37993 72c76ec 37992->37993 37994 72c76fe 37993->37994 37998 72c7808 37993->37998 38003 72c6e68 37994->38003 37999 72c782d 37998->37999 38007 72c7908 37999->38007 38011 72c7918 37999->38011 38004 72c6e73 38003->38004 38019 72c8cbc 38004->38019 38006 72c771d 38008 72c793f 38007->38008 38009 72c7a1c 38008->38009 38015 72c6ea8 38008->38015 38009->38009 38012 72c793f 38011->38012 38013 72c6ea8 CreateActCtxA 38012->38013 38014 72c7a1c 38012->38014 38013->38014 38016 72c89a8 CreateActCtxA 38015->38016 38018 72c8a6b 38016->38018 38020 72c8cc7 38019->38020 38027 72c8ccc 38020->38027 38022 72ca10d 38022->38006 38023 72cb6cb 38022->38023 38031 72cd971 38022->38031 38036 72cd678 38022->38036 38040 72cd668 38022->38040 38023->38006 38028 72c8cd7 38027->38028 38044 72c8cfc 38028->38044 38030 72ca1e2 38030->38022 38054 72cdd78 38031->38054 38058 72cddb0 38031->38058 38062 72cdda0 38031->38062 38032 72cd986 38032->38023 38037 72cd693 38036->38037 38039 72cd6ab 38037->38039 38086 72cb3a3 LoadLibraryExW GetModuleHandleW 38037->38086 38039->38023 38041 72cd693 38040->38041 38043 72cd6ab 38041->38043 38087 72cb3a3 LoadLibraryExW GetModuleHandleW 38041->38087 38043->38023 38045 72c8d07 38044->38045 38048 72c8d2c 38045->38048 38047 72ca2e5 38047->38030 38049 72c8d37 38048->38049 38050 72cb6cb 38049->38050 38051 72cd668 2 API calls 38049->38051 38052 72cd678 2 API calls 38049->38052 38053 72cd971 2 API calls 38049->38053 38050->38047 38051->38050 38052->38050 38053->38050 38055 72cdd7d 38054->38055 38066 72cde98 38055->38066 38056 72cddbf 38056->38032 38059 72cddb4 38058->38059 38061 72cde98 2 API calls 38059->38061 38060 72cddbf 38060->38032 38061->38060 38063 72cddb0 38062->38063 38065 72cde98 2 API calls 38063->38065 38064 72cddbf 38064->38032 38065->38064 38067 72cdeb9 38066->38067 38068 72cdedc 38066->38068 38067->38068 38074 72ce130 38067->38074 38078 72ce140 38067->38078 38068->38056 38069 72cded4 38069->38068 38070 72ce0e0 GetModuleHandleW 38069->38070 38071 72ce10d 38070->38071 38071->38056 38075 72ce154 38074->38075 38076 72ce179 38075->38076 38082 72cdbb8 38075->38082 38076->38069 38079 72ce154 38078->38079 38080 72ce179 38079->38080 38081 72cdbb8 LoadLibraryExW 38079->38081 38080->38069 38081->38080 38083 72ce320 LoadLibraryExW 38082->38083 38085 72ce399 38083->38085 38085->38076 38086->38039 38087->38043 37962 70e3300 37963 70e348b 37962->37963 37965 70e3326 37962->37965 37965->37963 37966 70e2998 37965->37966 37967 70e3580 PostMessageW 37966->37967 37968 70e35ec 37967->37968 37968->37965 37986 d7fa791 37987 d7fa72c 37986->37987 37988 d7fa79a 37986->37988 37990 d7fb821 LoadLibraryW 37987->37990 37991 d7fb830 LoadLibraryW 37987->37991 37989 d7fa74d 37990->37989 37991->37989 37969 d7fa670 37970 d7fa693 37969->37970 37974 d7fb821 37970->37974 37978 d7fb830 37970->37978 37971 d7fa74d 37975 d7fb878 37974->37975 37976 d7fb881 37975->37976 37982 d7fb3b8 37975->37982 37976->37971 37979 d7fb878 37978->37979 37980 d7fb881 37979->37980 37981 d7fb3b8 LoadLibraryW 37979->37981 37980->37971 37981->37980 37983 d7fb978 LoadLibraryW 37982->37983 37985 d7fb9ed 37983->37985 37985->37976 38088 d7f3340 38089 d7f3367 38088->38089 38090 d7f33e6 38089->38090 38094 d7f52fe 38089->38094 38100 d7f3998 38089->38100 38106 d7f398b 38089->38106 38097 d7f3af8 38094->38097 38095 d7f52e8 38096 d7f47ff LdrInitializeThunk 38096->38097 38097->38095 38097->38096 38098 d7f5e19 LdrInitializeThunk LdrInitializeThunk 38097->38098 38099 d7f5e28 LdrInitializeThunk LdrInitializeThunk 38097->38099 38098->38097 38099->38097 38103 d7f39c5 38100->38103 38101 d7f52e8 38102 d7f47ff LdrInitializeThunk 38102->38103 38103->38101 38103->38102 38104 d7f5e19 LdrInitializeThunk LdrInitializeThunk 38103->38104 38105 d7f5e28 LdrInitializeThunk LdrInitializeThunk 38103->38105 38104->38103 38105->38103 38109 d7f3992 38106->38109 38107 d7f52e8 38108 d7f47ff LdrInitializeThunk 38108->38109 38109->38107 38109->38108 38110 d7f5e19 LdrInitializeThunk LdrInitializeThunk 38109->38110 38111 d7f5e28 LdrInitializeThunk LdrInitializeThunk 38109->38111 38110->38109 38111->38109

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 0D7F5F80 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 355libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 930 d7f5f80-d7f5fb2 931 d7f5fb9-d7f607d 930->931 932 d7f5fb4 930->932 937 d7f607f-d7f608d 931->937 938 d7f6092 931->938 932->931 939 d7f650d-d7f651a 937->939 998 d7f6098 call d7f692a 938->998 999 d7f6098 call d7f6899 938->999 1000 d7f6098 call d7f6758 938->1000 1001 d7f6098 call d7f67e6 938->1001 1002 d7f6098 call d7f68b5 938->1002 940 d7f609e-d7f6131 LdrInitializeThunk 945 d7f649c-d7f64c6 940->945 947 d7f64cc-d7f650b 945->947 948 d7f6136-d7f6348 945->948 947->939 975 d7f6354-d7f639e 948->975 978 d7f63a6-d7f63a8 975->978 979 d7f63a0 975->979 982 d7f63af-d7f63b6 978->982 980 d7f63aa 979->980 981 d7f63a2-d7f63a4 979->981 980->982 981->978 981->980 983 d7f642a-d7f6444 982->983 984 d7f63b8-d7f6429 982->984 986 d7f6446-d7f644f 983->986 987 d7f6451-d7f645d 983->987 984->983 989 d7f6463-d7f6482 986->989 987->989 993 d7f6498-d7f6499 989->993 994 d7f6484-d7f6497 989->994 993->945 994->993 998->940 999->940 1000->940 1001->940 1002->940
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                  • String ID: .$1
                                                                                                                                                                                                                  • API String ID: 2994545307-1839485796
                                                                                                                                                                                                                  • Opcode ID: b6f05f0b7d6bd1b109ea73258c31ba1b8f27914adc7d9fada2fa0694fc9d634f
                                                                                                                                                                                                                  • Instruction ID: 5988c1f1d59da6a3dc57f1824b013f79c26a85b1bd6a6414948196112c308f0f
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6f05f0b7d6bd1b109ea73258c31ba1b8f27914adc7d9fada2fa0694fc9d634f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F1E374E01228CFDB69DF65D894B9DBBB2BF89305F1082A9D509A7394DB319E81CF10
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7F22E8 Relevance: 5.4, Strings: 4, Instructions: 442COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 1003 d7f22e8-d7f2308 1004 d7f230f-d7f23f9 1003->1004 1005 d7f230a 1003->1005 1014 d7f23fb 1004->1014 1015 d7f2400-d7f242e 1004->1015 1005->1004 1014->1015 1017 d7f2750-d7f2759 1015->1017 1018 d7f275f-d7f27e7 1017->1018 1019 d7f2433-d7f243c 1017->1019 1033 d7f27ee-d7f281c 1018->1033 1034 d7f27e9 1018->1034 1020 d7f243e 1019->1020 1021 d7f2443-d7f24e2 1019->1021 1020->1021 1044 d7f24e9-d7f251d 1021->1044 1037 d7f2b4a-d7f2b53 1033->1037 1034->1033 1039 d7f2b59-d7f2b86 1037->1039 1040 d7f2821-d7f282a 1037->1040 1042 d7f282c 1040->1042 1043 d7f2831-d7f28d6 1040->1043 1042->1043 1068 d7f28dd-d7f2911 1043->1068 1048 d7f2680-d7f2694 1044->1048 1052 d7f269a-d7f26b7 1048->1052 1053 d7f2522-d7f259a 1048->1053 1055 d7f26b9-d7f26c5 1052->1055 1056 d7f26c6 1052->1056 1066 d7f259c-d7f25b4 1053->1066 1067 d7f25b6 1053->1067 1055->1056 1056->1017 1069 d7f25bc-d7f25dd 1066->1069 1067->1069 1072 d7f2a74-d7f2a88 1068->1072 1073 d7f266f-d7f267f 1069->1073 1074 d7f25e3-d7f263e 1069->1074 1078 d7f2a8e-d7f2aab 1072->1078 1079 d7f2916-d7f298e 1072->1079 1073->1048 1086 d7f265a 1074->1086 1087 d7f2640-d7f2658 1074->1087 1082 d7f2aad-d7f2ab9 1078->1082 1083 d7f2aba 1078->1083 1094 d7f29aa 1079->1094 1095 d7f2990-d7f29a8 1079->1095 1082->1083 1083->1037 1090 d7f2660-d7f266e 1086->1090 1087->1090 1090->1073 1096 d7f29b0-d7f29d1 1094->1096 1095->1096 1098 d7f29d7-d7f2a32 1096->1098 1099 d7f2a63-d7f2a73 1096->1099 1104 d7f2a4e 1098->1104 1105 d7f2a34-d7f2a4c 1098->1105 1099->1072 1106 d7f2a54-d7f2a62 1104->1106 1105->1106 1106->1099
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                                                  • API String ID: 0-2125118731
                                                                                                                                                                                                                  • Opcode ID: 6af34065aa461c90a30e457b981400879e1435f95bb4d69b96f0ac0c54c21cc2
                                                                                                                                                                                                                  • Instruction ID: 1718e6acf64beca78560b64bcb69546c41519636ddc7557ab95fc96f54063469
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6af34065aa461c90a30e457b981400879e1435f95bb4d69b96f0ac0c54c21cc2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B722BD70A01228CFDB65DF64C880BDEB7B2BF89304F1095A9D509AB355DB349E86CF54
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 070E1848 Relevance: 5.3, Strings: 4, Instructions: 267COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 1108 70e1848-70e1868 1109 70e186f-70e191e 1108->1109 1110 70e186a 1108->1110 1117 70e1c07-70e1c10 1109->1117 1110->1109 1118 70e1c16-70e1c31 1117->1118 1119 70e1923-70e192c 1117->1119 1123 70e1c3d 1118->1123 1124 70e1c33-70e1c3c 1118->1124 1121 70e192e 1119->1121 1122 70e1933-70e1957 1119->1122 1121->1122 1126 70e1959-70e195f 1122->1126 1127 70e1961-70e1989 1122->1127 1129 70e1c3e 1123->1129 1124->1123 1130 70e1994-70e1998 1126->1130 1141 70e1991 1127->1141 1129->1129 1132 70e199a-70e19a3 1130->1132 1133 70e19b9 1130->1133 1136 70e19aa-70e19ad 1132->1136 1137 70e19a5-70e19a8 1132->1137 1134 70e19bc-70e19c3 1133->1134 1139 70e19c5-70e19ce 1134->1139 1140 70e19d0-70e1a07 1134->1140 1138 70e19b7 1136->1138 1137->1138 1138->1134 1142 70e1a18-70e1a1f 1139->1142 1154 70e1a12 1140->1154 1141->1130 1144 70e1a49 1142->1144 1145 70e1a21-70e1a2d 1142->1145 1146 70e1a4f-70e1a61 1144->1146 1147 70e1a2f-70e1a35 1145->1147 1148 70e1a37-70e1a3d 1145->1148 1152 70e1a7e-70e1a80 1146->1152 1153 70e1a63-70e1a7c 1146->1153 1149 70e1a47 1147->1149 1148->1149 1149->1146 1155 70e1a83-70e1a8e 1152->1155 1153->1155 1154->1142 1157 70e1bbd-70e1bd8 1155->1157 1158 70e1a94-70e1bbc 1155->1158 1161 70e1bda-70e1be3 1157->1161 1162 70e1be4-70e1be5 1157->1162 1158->1157 1161->1162 1162->1117
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373644691.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_70e0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                                                  • API String ID: 0-2125118731
                                                                                                                                                                                                                  • Opcode ID: a05c4666829c999f946221da04a03781e1d1808506af8e1a6217a1c1e916874e
                                                                                                                                                                                                                  • Instruction ID: db089e567a349d78f631e05a3b0672157fd4b635527e920174a144f6b508b5e9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a05c4666829c999f946221da04a03781e1d1808506af8e1a6217a1c1e916874e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EC1E4B0E0021CCFDB64DFA5C880B9DBBF6BF89304F1092AAD419AB254DB349985CF51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7F3998 Relevance: 2.8, APIs: 1, Instructions: 1290COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 1346 d7f3998-d7f39c3 1347 d7f39ca-d7f3a66 1346->1347 1348 d7f39c5 1346->1348 1352 d7f3ab8-d7f3af3 1347->1352 1353 d7f3a68-d7f3ab2 1347->1353 1348->1347 1358 d7f52c9-d7f52e2 1352->1358 1353->1352 1361 d7f3af8-d7f3fa3 1358->1361 1362 d7f52e8-d7f530e 1358->1362 1623 d7f3fa9 call d7f53c0 1361->1623 1624 d7f3fa9 call d7f53b0 1361->1624 1365 d7f531d 1362->1365 1366 d7f5310-d7f531c 1362->1366 1368 d7f531e 1365->1368 1366->1365 1368->1368 1394 d7f3faf-d7f3fdd 1396 d7f5281-d7f529b 1394->1396 1398 d7f3fe2-d7f4184 1396->1398 1399 d7f52a1-d7f52c5 1396->1399 1419 d7f420d-d7f42b2 1398->1419 1420 d7f418a-d7f4208 1398->1420 1399->1358 1434 d7f42d8-d7f42e7 1419->1434 1435 d7f42b4-d7f42d6 1419->1435 1431 d7f42fa-d7f44b2 1420->1431 1456 d7f4504-d7f450f 1431->1456 1457 d7f44b4-d7f44fe 1431->1457 1439 d7f42ed-d7f42f9 1434->1439 1435->1439 1439->1431 1621 d7f4515 call d7f5e19 1456->1621 1622 d7f4515 call d7f5e28 1456->1622 1457->1456 1459 d7f451b-d7f457f 1464 d7f45d1-d7f45dc 1459->1464 1465 d7f4581-d7f45cb 1459->1465 1619 d7f45e2 call d7f5e19 1464->1619 1620 d7f45e2 call d7f5e28 1464->1620 1465->1464 1467 d7f45e8-d7f464b 1472 d7f469d-d7f46a8 1467->1472 1473 d7f464d-d7f4697 1467->1473 1617 d7f46ae call d7f5e19 1472->1617 1618 d7f46ae call d7f5e28 1472->1618 1473->1472 1475 d7f46b4-d7f46ed 1478 d7f4bf8-d7f4c7f 1475->1478 1479 d7f46f3-d7f47aa 1475->1479 1490 d7f4cdd-d7f4ce8 1478->1490 1491 d7f4c81-d7f4cd7 1478->1491 1492 d7f47ac 1479->1492 1493 d7f47b1-d7f4831 LdrInitializeThunk call d7f3674 1479->1493 1613 d7f4cee call d7f5e19 1490->1613 1614 d7f4cee call d7f5e28 1490->1614 1491->1490 1492->1493 1506 d7f4836-d7f495f call d7f0ca8 call d7f3684 call d7f3694 1493->1506 1494 d7f4cf4-d7f4d81 1508 d7f4ddf-d7f4dea 1494->1508 1509 d7f4d83-d7f4dd9 1494->1509 1543 d7f4bdb-d7f4bf7 1506->1543 1544 d7f4965-d7f49b7 1506->1544 1615 d7f4df0 call d7f5e19 1508->1615 1616 d7f4df0 call d7f5e28 1508->1616 1509->1508 1513 d7f4df6-d7f4e6e 1524 d7f4ecc-d7f4ed7 1513->1524 1525 d7f4e70-d7f4ec6 1513->1525 1611 d7f4edd call d7f5e19 1524->1611 1612 d7f4edd call d7f5e28 1524->1612 1525->1524 1527 d7f4ee3-d7f4f22 1537 d7f508d-d7f5240 1527->1537 1538 d7f4f28-d7f508c 1527->1538 1607 d7f5248-d7f5268 1537->1607 1538->1537 1543->1478 1553 d7f4a09-d7f4a84 1544->1553 1554 d7f49b9-d7f4a03 1544->1554 1568 d7f4ad6-d7f4b50 1553->1568 1569 d7f4a86-d7f4ad0 1553->1569 1554->1553 1583 d7f4ba2-d7f4bda 1568->1583 1584 d7f4b52-d7f4b9c 1568->1584 1569->1568 1583->1543 1584->1583 1608 d7f526a-d7f527f 1607->1608 1609 d7f5280 1607->1609 1608->1609 1609->1396 1611->1527 1612->1527 1613->1494 1614->1494 1615->1513 1616->1513 1617->1475 1618->1475 1619->1467 1620->1467 1621->1459 1622->1459 1623->1394 1624->1394
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 5496fa4414bfb69ae2ac537ed901eff4924fe177c431a41b94f4fda01894c8c9
                                                                                                                                                                                                                  • Instruction ID: f50bf97ee6620898a94a07b382694207a8515f66c114655729bf28e210330fd2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5496fa4414bfb69ae2ac537ed901eff4924fe177c431a41b94f4fda01894c8c9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0E28BB4A012298FCB65DF28D994B9DBBB9FB49304F1081EAD50DA7350DB30AE85CF45
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7F17F8 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 1676 d7f17f8-d7f1819 1677 d7f181b 1676->1677 1678 d7f1820-d7f188a 1676->1678 1677->1678 1683 d7f1892-d7f18df 1678->1683 1687 d7f1b30-d7f1b44 1683->1687 1689 d7f1b4a-d7f1b6e 1687->1689 1690 d7f18e4-d7f19e7 1687->1690 1695 d7f1b6f 1689->1695 1705 d7f1ac4-d7f1ad4 1690->1705 1695->1695 1707 d7f19ec-d7f1a02 1705->1707 1708 d7f1ada-d7f1b04 1705->1708 1712 d7f1a2c 1707->1712 1713 d7f1a04-d7f1a10 1707->1713 1717 d7f1b06-d7f1b0f 1708->1717 1718 d7f1b10-d7f1b11 1708->1718 1716 d7f1a32-d7f1a97 1712->1716 1714 d7f1a1a-d7f1a20 1713->1714 1715 d7f1a12-d7f1a18 1713->1715 1719 d7f1a2a 1714->1719 1715->1719 1726 d7f1a99-d7f1aaf 1716->1726 1727 d7f1ab0-d7f1ac3 1716->1727 1717->1718 1718->1687 1719->1716 1726->1727 1727->1705
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: LR^q$PH^q
                                                                                                                                                                                                                  • API String ID: 0-4173805542
                                                                                                                                                                                                                  • Opcode ID: 50093385e0a7f3812333fd2ba8e9a2592fd21e050eab58a8e04bca2bb86fc310
                                                                                                                                                                                                                  • Instruction ID: caad664c3a56deb7cfe979e008685fe6f0ec96858dee485f0b61d39d8bf32ff0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 50093385e0a7f3812333fd2ba8e9a2592fd21e050eab58a8e04bca2bb86fc310
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDA1D474E00318CFDB24DFA5C894BADBBB6BF89300F5085A9D909AB354DB319A85CF51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 070E196F Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373644691.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_70e0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID: $^q$$^q
                                                                                                                                                                                                                  • API String ID: 0-355816377
                                                                                                                                                                                                                  • Opcode ID: 4945e8fe524085dcd9ee9ba95e33a201a14f988fe5fac0e0fabcf012f8aea024
                                                                                                                                                                                                                  • Instruction ID: 77554b10270b7128c75c4a2d87c5b3a19aae9794592e3509593fd7ab68ffc0b9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4945e8fe524085dcd9ee9ba95e33a201a14f988fe5fac0e0fabcf012f8aea024
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8151D0B0E0522DCFDB64DFA4C880BADBBB6BF49304F1042AAD409AB254DB745E85CF51
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7F0CA8 Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b409fe00ceb341e4b68997faa38dd66b6889d025501d14428cfb8ad5cefa1ae7
                                                                                                                                                                                                                  • Instruction ID: 2847fd224794e1b04278b829c744b74dc1764d0dc8cb47cfc4af0d1ab28d9ba7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b409fe00ceb341e4b68997faa38dd66b6889d025501d14428cfb8ad5cefa1ae7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02226874E01229CFDB65DF69C890BD9B7B1BF89310F5085EAD549AB350EB30AA85CF40
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072CDE98 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 072CE0FE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: 97a2561db1e649c3f74c0b4ea72e56070842f17b3e75a0d38c51c107f3d9c8ce
                                                                                                                                                                                                                  • Instruction ID: 5781c1445c83837c20a9ca54759e065803fb077941f8bf49c4234f9fe2c3c214
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97a2561db1e649c3f74c0b4ea72e56070842f17b3e75a0d38c51c107f3d9c8ce
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 608134B0A10B469FDB24DF29C45079ABBF5FF98300F008A2ED48ADBA50D775E845CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072C899D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 072C8A59
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: fc57d5d783d055dfff6ecd13068f8aa2834f8f222bc1eed90801f8338b9816c4
                                                                                                                                                                                                                  • Instruction ID: f50ea37128c898b6a50dd1ac62b5505924ffea420790db6525ef87b829c116e6
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc57d5d783d055dfff6ecd13068f8aa2834f8f222bc1eed90801f8338b9816c4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A41D1B0C00619DEDB24CFA9C984ADEBBF5BF49304F24816AD408AB255DB755946CF90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072C6EA8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 072C8A59
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: 1707ce8e67043ab220e3b8336e61b5e0e3a93185a918ba67b4c411c4f6637ccc
                                                                                                                                                                                                                  • Instruction ID: 005f3b4216090dd203416b0dabf418f794b945bf4168cd2002c49258a1ad2576
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1707ce8e67043ab220e3b8336e61b5e0e3a93185a918ba67b4c411c4f6637ccc
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E41FFB0C1071DCBDB24CFA9C944B9EBBF5BF48304F24816AD408AB251DB756986CF90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072CDBB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,072CE179,00000800,00000000,00000000), ref: 072CE38A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                  • Opcode ID: a60588570ca660a959b0c728caa21f0317ac908543a481d142edf4821b96646c
                                                                                                                                                                                                                  • Instruction ID: 8a9ede4df23790d95d4f92dc75ca8fa62ef482fb4091b6332d609e58bc038ac1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a60588570ca660a959b0c728caa21f0317ac908543a481d142edf4821b96646c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 731126B6D003499FDB10CF9AC444AEEFBF4EB98710F11852EE919A7210C379A545CFA5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072CE318 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,072CE179,00000800,00000000,00000000), ref: 072CE38A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                  • Opcode ID: 30154bb5ca9d517a1b544e83fc4678292fff2a932a8f20fe1ba961992b0dece7
                                                                                                                                                                                                                  • Instruction ID: dc0d90fab7281fe1fca9a1e3a77b3c60f8b26e90ed89854f3e05674f58332882
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30154bb5ca9d517a1b544e83fc4678292fff2a932a8f20fe1ba961992b0dece7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E01114B6D003099FDB24CF9AC484ADEFBF4EB88710F14852ED519A7210C374A545CFA5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7FB3B8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,0D7FB8D6), ref: 0D7FB9DE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                  • Opcode ID: 18307186fd2283f43d0c4206fabafe6601c356130b69f4d2886826d4e05dfa76
                                                                                                                                                                                                                  • Instruction ID: c48e8d2282aaf2e1420118284bf08336e3b0b957fc2a2aa8c93e0dc4e7f5bfad
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18307186fd2283f43d0c4206fabafe6601c356130b69f4d2886826d4e05dfa76
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 311123B6D00249CBCB20CF9AC444A9EFBF4EF88324F14842AD559A7310D774A545CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0D7FB973 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,0D7FB8D6), ref: 0D7FB9DE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2394943372.000000000D7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D7F0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_d7f0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                  • Opcode ID: 62599ea2945ea043189f2c9a75a318a1fb5c668cf2159d1265911e1596a46194
                                                                                                                                                                                                                  • Instruction ID: abf41008a8391168d6c38c46bb4a7c4877e370bf9c4eb9c6f43d8f221b9f76e8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62599ea2945ea043189f2c9a75a318a1fb5c668cf2159d1265911e1596a46194
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E11F0B6D002498BCB20CF9AC844A9EFBF4EF88224F14882AD569A7310D774A545CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 072CE098 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 072CE0FE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373808711.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_72c0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: b1fe6e2f500df81b4bf45b3f534666e49b199e16fd4d50387a670cb9e837b9d1
                                                                                                                                                                                                                  • Instruction ID: a645c4adf100b568886567a8d3406c09defa9f9cedc095eb9397f9f41685e43a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1fe6e2f500df81b4bf45b3f534666e49b199e16fd4d50387a670cb9e837b9d1
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E1110B6C0024A8FCB10CF9AC844ADEFBF4EB88324F10896AD859B7210C375A545CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 070E2998 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 070E35DD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373644691.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_70e0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                  • Opcode ID: 5f553cb1ea96abe08a443dcea15be3f14e67ea28072744f42a67799fa2b1ffba
                                                                                                                                                                                                                  • Instruction ID: 730427bf8de105980169a96034c293c8fd464047d675d145f537548a624211cf
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f553cb1ea96abe08a443dcea15be3f14e67ea28072744f42a67799fa2b1ffba
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F11102B69003499FDB10CF8AC884BDEBFF8EB48324F108459E554A7200C374A944CFA5
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 070E3578 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 070E35DD
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373644691.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_70e0000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                  • Opcode ID: f96c890048641dd4625362e627fa2fff424ce5bcc1615f7e4e6f238310e128fa
                                                                                                                                                                                                                  • Instruction ID: 5692cc099f9d39bf9bd990369e8f5d5720f199f4444261b03b10f428be1fec78
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f96c890048641dd4625362e627fa2fff424ce5bcc1615f7e4e6f238310e128fa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 851122B5800249CFDB10CF9AC984BDEBFF8EB48324F10841AD458A7300C374A984CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0703D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373385401.000000000703D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0703D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_703d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6d3e462a5b76bb54efe287fb23edbe134457deaa72101784a3eba1401a1b3f8c
                                                                                                                                                                                                                  • Instruction ID: fe5c8a75989a113ac58e14a000b0aacddbaa6cfa14cc32fe6c829edee11036e5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d3e462a5b76bb54efe287fb23edbe134457deaa72101784a3eba1401a1b3f8c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE2107B1604241DFDB05DF14D9C0B2BBFA9FB84318F24C66AE9094B256C336D456CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0703D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373385401.000000000703D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0703D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_703d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 939366ec68ff6fb104f9791c2f5a3ab9ee2d9147bb4083a7d138619fc3550a3a
                                                                                                                                                                                                                  • Instruction ID: dd737c50ba79fa2a968a5f56ed5d6f3db4245ad28c1f1d5227675bcd2600bc0b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 939366ec68ff6fb104f9791c2f5a3ab9ee2d9147bb4083a7d138619fc3550a3a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 622128B1604204DFEB05DF14D9C0B1ABFA9FB94324F24C6A9D9094B216C376E456C7A1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0704D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373421660.000000000704D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0704D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_704d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 2bf9f7a19aacb5cd74c695a1afd086173c99cb40b7f7ca7ee2c0329462ba0db4
                                                                                                                                                                                                                  • Instruction ID: f51622672d37777db777ff7e919e075c28fecdaac90d957fcb0c4d0a1a3e2aa2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bf9f7a19aacb5cd74c695a1afd086173c99cb40b7f7ca7ee2c0329462ba0db4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2521F2F1604240DFCB14DF14D988B2ABBA5EB84314F24C67DDA098B256C33AD447CA61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0704D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373421660.000000000704D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0704D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_704d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 05fd4610ce2b4bdf7269ac672094bacb94e7c34c5877addd1ce48ed7db09d1e8
                                                                                                                                                                                                                  • Instruction ID: 54f66d3234122a6366fd6ce6b1e25d1a1d4c4a28965939d13fe4408089a4072c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05fd4610ce2b4bdf7269ac672094bacb94e7c34c5877addd1ce48ed7db09d1e8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 102162B55083809FCB16CF14D994711BFB1EB46214F28C6EAD9498F267C33A985ACB62
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0703D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373385401.000000000703D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0703D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_703d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                                                                                                  • Instruction ID: 22b42190d6b8686183372ab46afec06add52cfdbd04beb3a08da5115b4bb04ac
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B11E6B6604280CFCB16CF14D9C4B16BFB1FB84318F24C6AADC494B616C336D45ACBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0703D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2373385401.000000000703D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0703D000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_703d000_AppLaunch.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                                                                                                  • Instruction ID: 24ac9b21a595f09417554a6e28667cd9004daadd3669999945f563b661f2da3e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 881103B2504280CFDB02CF10D9C4B16BFB1FB94324F24C6A9D8090B616C33AE45ACBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 00848DC0 Relevance: 135.4, APIs: 59, Strings: 16, Instructions: 4185threadsleeplibraryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetPriorityClass.KERNEL32(?,00008000), ref: 00849004
                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00848DA0), ref: 0084900B
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00849023
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00849086
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008494D3
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(B7B1B6A8,B7B1B6A8,FFFFFFF9,FFFFFFFF,00000002,00000000,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB), ref: 0084960B
                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(96919688,96919688,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 00849672
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001CA80,00000000,00000000,00000000), ref: 00849693
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 0084969A
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000001,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 0084974E
                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(000000FA,00000002,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 00849787
                                                                                                                                                                                                                    • Part of subcall function 007FB940: GetFileAttributesA.KERNEL32(?,?,?,00822420), ref: 007FB95D
                                                                                                                                                                                                                    • Part of subcall function 007FB940: GetLastError.KERNEL32(?,00822420), ref: 007FB968
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00929B8C,00000000,AFB2BAAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002), ref: 00849C02
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 00849C31
                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 00849D67
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus,?,?,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002), ref: 00849D93
                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,?,ADBEAFAC,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB), ref: 00849EFC
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,ADBEAFAC,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,?,?,BAAAADAB,00000002,00000000), ref: 00849F11
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00849FC3
                                                                                                                                                                                                                  • shutdown.WS2_32(00000002), ref: 00849FF3
                                                                                                                                                                                                                  • closesocket.WS2_32 ref: 00849FFF
                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0084A005
                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0084A015
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0084A02B
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0084A3E7
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0084A598
                                                                                                                                                                                                                  • send.WS2_32(0000000F,00000000,00000000,00000000), ref: 0084A5FF
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,?,?,?,00006BC0,00000000,?,000000A3,FFFFFFF9,FFFFFFFF,00000002,00000000,?,?,BAAAADAB), ref: 0084A7B6
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,00006BC0,00000000,?,000000A3,FFFFFFF9,FFFFFFFF,00000002,00000000), ref: 0084A90D
                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,00008A8E,00008A8D,?,?,?,?,?,00006BC0,00000000,?,000000A3), ref: 0084B0C1
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0084B0CF
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00008A8E,00008A8D,?,?,?,?,?,00006BC0,00000000,?,000000A3,FFFFFFF9,FFFFFFFF,00000002), ref: 0084B0DD
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0004A2F0,00000000,00000000,00000000), ref: 0084B545
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0083B6D0,00000000,00000000,00000000), ref: 0084B559
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00052BE0,00000000,00000000,00000000), ref: 0084B56D
                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(6A410000,?,?,B3AABE89,B3AABE89,B6B8B0B3,B6B8B0B3,?,00008A8E,00008A8D,?,?,?,?,?,00006BC0), ref: 0084B6B3
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,?,?,00008A8E,00008A8D,?,?,?,?,?,00006BC0,00000000), ref: 0084B891
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00053170,00000000,00000000,00000000), ref: 0084BB0E
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00054190,00000000,00000000,00000000), ref: 0084BB22
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000559B0,00000000,00000000,00000000), ref: 0084BB36
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000566C0,00000000,00000000,00000000), ref: 0084BB4A
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00057D90,00000000,00000000,00000000), ref: 0084BB5E
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00057EA0,00000000,00000000,00000000), ref: 0084BB72
                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00058BA0,00000000,00000000,00000000), ref: 0084BB86
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000493E0), ref: 0084BD36
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000493E0), ref: 0084BDE6
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0084C064
                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0084C69C
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00849C48
                                                                                                                                                                                                                    • Part of subcall function 007FB990: FindFirstFileA.KERNEL32(00000000,00000004,008E8953,?,?,?,\*.*,00000004,?,74DF3100), ref: 007FBAA1
                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(0000009C), ref: 0084C811
                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,The Windows Vista operating system is not an obstacle.,Error,00000010), ref: 0084C83B
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0084C8D9
                                                                                                                                                                                                                  • shutdown.WS2_32(00000002), ref: 0084C8E3
                                                                                                                                                                                                                  • closesocket.WS2_32 ref: 0084C8EF
                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0084C8F5
                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,?), ref: 0084C940
                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0084C94E
                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 0084C95C
                                                                                                                                                                                                                  • NtTerminateProcess.NTDLL(00000000), ref: 0084C963
                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0084C96A
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create$Thread$Sleep$Unothrow_t@std@@@__ehfuncinfo$??2@$CurrentFileHandleProcess$DirectoryLibraryObjectSingleWait$AddressAttributesCleanupCloseErrorLastLoadModuleProc__aulldivclosesocketshutdown$ClassDeleteExceptionFilterFindFirstFreeMessageMutexPathPriorityTempTerminateUnhandledVersionsend
                                                                                                                                                                                                                  • String ID: <!-- Your config file -->$.$/*************/$131$89.149.18.60$:$</config>$<config>$C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus$Error$L$The Windows Vista operating system is not an obstacle.$\config.xml$ntdll.dll$2$2
                                                                                                                                                                                                                  • API String ID: 3390398298-3592079131
                                                                                                                                                                                                                  • Opcode ID: ba1ab67e021a2bdd03cef2f6e06a54ef0029a1d39244bb6dbbc3d20a95f6b87f
                                                                                                                                                                                                                  • Instruction ID: 6e498d5bfd7c919180c5179558f5791731701f510321821ba9c429f00e6a868a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba1ab67e021a2bdd03cef2f6e06a54ef0029a1d39244bb6dbbc3d20a95f6b87f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C083E070900268CFDB28CF68C854BAEBBB1FF55304F1441D9D849AB392DB75AA85CF91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007FEA60 Relevance: 25.7, APIs: 12, Strings: 2, Instructions: 1192fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,F5F1F583,?,F5F1F583,008318FA,00000000,F5F1F583,F5F1F584,F5F1F583,00000000,7FFFFFFF), ref: 007FEBE5
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,F5F1F583,?,0091164C,00000001,0000002E,0000002F,?,00000000,008318FA), ref: 007FEEAB
                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 007FEF1B
                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 007FEF31
                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 007FEF41
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 007FEF47
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 007FEF65
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000,7FFFFFFF), ref: 007FF0E6
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,ABAA9E83,?,?,ABAA9E83,ABAA9E84,ABAA9E83,?,?,?,ABAA9E83,ABAA9E84,ABAA9E83), ref: 007FF2C4
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,BBB19683,?,?,BBB19683,BBB19684,BBB19683,?,BBB19683,?,00000000,BBB19683,BBB19684,BBB19683), ref: 007FF424
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,BCB09383,?,?,BCB09383,BCB09384,BCB09383,?,BCB09383,?,00000000,BCB09383,BCB09384,BCB09383), ref: 007FF687
                                                                                                                                                                                                                    • Part of subcall function 007FB940: GetFileAttributesA.KERNEL32(?,?,?,00822420), ref: 007FB95D
                                                                                                                                                                                                                    • Part of subcall function 007FB940: GetLastError.KERNEL32(?,00822420), ref: 007FB968
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 007FF902
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateDirectory$File$ErrorFindLast$AttributesCloseCopyFirstFolderNextPath
                                                                                                                                                                                                                  • String ID: &$.
                                                                                                                                                                                                                  • API String ID: 3850399370-4005498665
                                                                                                                                                                                                                  • Opcode ID: 2836b7f60413fd17ed45745e2230d26c79af467ee0b1dfd22768961ea8147601
                                                                                                                                                                                                                  • Instruction ID: 687d0f465713b93ffd64da074e048566d1943354e60b54159862a4d76bf02a7d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2836b7f60413fd17ed45745e2230d26c79af467ee0b1dfd22768961ea8147601
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EB2AE70C1028DDEDF04DFA8C8587FDBBB4AF15304F148298E555BB292EBB85A49CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0080CA80 Relevance: 23.3, APIs: 11, Strings: 2, Instructions: 573networksleepCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 5225 80ca80-80caae 5226 80cab4-80caba 5225->5226 5227 80d389-80d39a 5225->5227 5228 80cac0-80cacc call 80bc90 5226->5228 5231 80cad2-80cb00 call 80bcd0 recv WSAGetLastError 5228->5231 5232 80d374-80d383 Sleep 5228->5232 5231->5227 5235 80cb06-80cb09 5231->5235 5232->5227 5232->5228 5236 80cd38-80cd5f call 804c50 5235->5236 5237 80cb0f-80cb16 5235->5237 5241 80d366-80d36e Sleep 5236->5241 5244 80cd65 5236->5244 5239 80cd20-80cd33 recv 5237->5239 5240 80cb1c-80cb78 call 852390 recv 5237->5240 5239->5241 5248 80ccce-80ccdb 5240->5248 5249 80cb7e-80cb99 recv 5240->5249 5241->5232 5246 80cd73-80cdd0 call 84fe50 5244->5246 5247 80cd67-80cd6d 5244->5247 5261 80cf03-80d107 call 7f2890 call 8ab600 5246->5261 5262 80cdd6-80cddc 5246->5262 5247->5241 5247->5246 5252 80cd09-80cd1b 5248->5252 5253 80ccdd-80cce9 5248->5253 5249->5248 5250 80cb9f-80cbda 5249->5250 5254 80cc28-80cc7c call 84fe50 call 80b9d0 call 80bd10 5250->5254 5255 80cbdc-80cbe1 5250->5255 5252->5241 5257 80cceb-80ccf9 5253->5257 5258 80ccff-80cd06 call 8aafb1 5253->5258 5292 80cc81-80cc8e 5254->5292 5259 80cbe3-80cbf5 5255->5259 5260 80cbf7-80cc00 5255->5260 5257->5258 5263 80d39b-80d3a0 call 8c64b0 5257->5263 5258->5252 5267 80cc06-80cc26 call 80bcd0 recv 5259->5267 5260->5267 5269 80cc01 call 852390 5260->5269 5293 80d109-80d11b 5261->5293 5294 80d11d-80d125 call 852390 5261->5294 5268 80cde0-80ce03 5262->5268 5267->5254 5276 80ce14-80ce21 5268->5276 5277 80ce05-80ce0f 5268->5277 5269->5267 5283 80ce32-80ce3f 5276->5283 5284 80ce23-80ce2d 5276->5284 5282 80cef3-80cef6 5277->5282 5287 80cef9-80cefd 5282->5287 5288 80ce50-80ce5d 5283->5288 5289 80ce41-80ce4b 5283->5289 5284->5282 5287->5261 5287->5268 5290 80ce6e-80ce7b 5288->5290 5291 80ce5f-80ce69 5288->5291 5289->5282 5295 80ce89-80ce96 5290->5295 5296 80ce7d-80ce87 5290->5296 5291->5282 5297 80cc90-80cc9c 5292->5297 5298 80ccbc-80ccca 5292->5298 5299 80d12a-80d178 call 7f8ca0 call 7f8de0 5293->5299 5294->5299 5303 80cea4-80ceb1 5295->5303 5304 80ce98-80cea2 5295->5304 5296->5282 5301 80ccb2-80ccb9 call 8aafb1 5297->5301 5302 80cc9e-80ccac 5297->5302 5298->5248 5316 80d2ae-80d2c4 call 7f8ca0 5299->5316 5317 80d17e-80d2ab call 8ab600 call 8c2ab0 5299->5317 5301->5298 5302->5263 5302->5301 5307 80ceb3-80cebd 5303->5307 5308 80cebf-80cecc 5303->5308 5304->5282 5307->5282 5311 80ceda-80cee4 5308->5311 5312 80cece-80ced8 5308->5312 5311->5287 5315 80cee6-80ceef 5311->5315 5312->5282 5315->5282 5322 80d2c6-80d2cc 5316->5322 5323 80d2f8-80d302 5316->5323 5317->5316 5325 80d2d0-80d2ed send 5322->5325 5326 80d304-80d310 5323->5326 5327 80d32c-80d361 call 7f2890 5323->5327 5325->5323 5329 80d2ef-80d2f6 5325->5329 5330 80d322-80d329 call 8aafb1 5326->5330 5331 80d312-80d320 5326->5331 5327->5241 5329->5323 5329->5325 5330->5327 5331->5263 5331->5330
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0080D376
                                                                                                                                                                                                                    • Part of subcall function 0080BCD0: setsockopt.WS2_32(0000FFFF,00001006,?,00000008), ref: 0080BCFC
                                                                                                                                                                                                                  • recv.WS2_32(?,00000004,00000002), ref: 0080CAF1
                                                                                                                                                                                                                  • WSAGetLastError.WS2_32 ref: 0080CAF5
                                                                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 0080CB73
                                                                                                                                                                                                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 0080CB94
                                                                                                                                                                                                                  • recv.WS2_32(00000000,?,00000008,?), ref: 0080CC26
                                                                                                                                                                                                                  • recv.WS2_32(?,00000004,00000008), ref: 0080CD31
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080D0DD
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080D27D
                                                                                                                                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 0080D2E4
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000001), ref: 0080D368
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: recv$Sleep__aulldiv$ErrorLastsendsetsockopt
                                                                                                                                                                                                                  • String ID: 2$2
                                                                                                                                                                                                                  • API String ID: 4175949153-3919836843
                                                                                                                                                                                                                  • Opcode ID: 41fc9198f39591af0d054f1698aaeac94bc8d74378fa7198637fa69853472d66
                                                                                                                                                                                                                  • Instruction ID: 217e23bccab36562fe4454b4fcb85e4ba0bb277c797547a0fb2123ab07e9f7ce
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41fc9198f39591af0d054f1698aaeac94bc8d74378fa7198637fa69853472d66
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39424670E00258CBEB24CFA8CD54BEDBBB1FB59304F218299D419B7292D7751A85CF91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0082C060 Relevance: 20.4, APIs: 13, Instructions: 911registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 5336 82c060-82c0ed call 8516f0 call 84dd60 5341 82c0f1-82c104 call 851130 5336->5341 5344 82c106-82c16e call 854510 call 8513d0 5341->5344 5349 82c174-82c1b4 call 84fe50 RegOpenKeyExA 5344->5349 5352 82c1ba-82c1f2 call 8c31f0 RegEnumKeyA 5349->5352 5353 82cdee-82ce12 call 7f2890 5349->5353 5359 82cde5-82cde8 RegCloseKey 5352->5359 5360 82c1f8 5352->5360 5353->5349 5358 82ce18-82ce2d 5353->5358 5359->5353 5361 82c200-82c21d RegOpenKeyExA 5360->5361 5362 82c223-82c2d6 call 8c31f0 * 5 5361->5362 5363 82cda7-82cddf call 8c31f0 RegEnumKeyA 5361->5363 5376 82c2e0-82c2f3 call 851130 5362->5376 5363->5359 5363->5361 5379 82c2f5-82c317 RegQueryValueExA 5376->5379 5380 82cd9e-82cda1 RegCloseKey 5379->5380 5381 82c31d-82c39e call 851130 5379->5381 5380->5363 5384 82c3a8-82c3ad 5381->5384 5384->5384 5385 82c3af-82c419 call 7f2aa0 call 8c31f0 * 2 5384->5385 5392 82c420-82c433 call 851130 5385->5392 5395 82c435-82c457 RegQueryValueExA 5392->5395 5396 82c4a9-82c4b0 5395->5396 5397 82c459-82c469 5395->5397 5398 82c4b2-82c4bb 5396->5398 5399 82c4d3-82c4da 5396->5399 5400 82c470-82c483 call 851130 5397->5400 5402 82c4c0-82c4c5 5398->5402 5403 82c503-82c526 5399->5403 5404 82c4dc-82c4e2 5399->5404 5410 82c485-82c4a7 RegQueryValueExA 5400->5410 5402->5402 5407 82c4c7-82c4c9 5402->5407 5405 82c530-82c549 call 851130 5403->5405 5408 82c4e5-82c4ea 5404->5408 5416 82c54b-82c56d RegQueryValueExA 5405->5416 5407->5399 5411 82c4cb-82c4d1 5407->5411 5408->5408 5412 82c4ec-82c4ee 5408->5412 5410->5396 5410->5403 5414 82c4f6-82c4fe call 84fba0 5411->5414 5412->5403 5415 82c4f0 5412->5415 5414->5403 5415->5414 5418 82c6c3-82c6ca 5416->5418 5419 82c573-82c59c 5416->5419 5420 82c735-82c73c 5418->5420 5421 82c6cc-82c6d2 5418->5421 5422 82c5a0-82c5b9 call 851130 5419->5422 5423 82c7a5-82c7ac 5420->5423 5424 82c73e-82c744 5420->5424 5425 82c6d5-82c6da 5421->5425 5434 82c5bb-82c5dd RegQueryValueExA 5422->5434 5430 82c812-82c819 5423->5430 5431 82c7ae-82c7b4 5423->5431 5427 82c747-82c74c 5424->5427 5425->5425 5428 82c6dc-82c6de 5425->5428 5427->5427 5432 82c74e-82c750 5427->5432 5428->5420 5433 82c6e0-82c6ec 5428->5433 5435 82c81b-82c821 5430->5435 5436 82c88e-82c8dd call 861ec0 5430->5436 5437 82c7b7-82c7bc 5431->5437 5432->5423 5439 82c752-82c75e 5432->5439 5440 82c6f0-82c703 call 851130 5433->5440 5434->5418 5441 82c5e3-82c60c 5434->5441 5443 82c824-82c829 5435->5443 5454 82c8f2-82c94d call 8c2ab0 5436->5454 5455 82c8df-82c8e2 5436->5455 5437->5437 5438 82c7be-82c7c0 5437->5438 5438->5430 5444 82c7c2-82c7ce 5438->5444 5445 82c760-82c773 call 851130 5439->5445 5460 82c705-82c70b 5440->5460 5447 82c610-82c629 call 851130 5441->5447 5443->5443 5449 82c82b-82c82d 5443->5449 5450 82c7d0-82c7e3 call 851130 5444->5450 5467 82c775-82c77b 5445->5467 5469 82c62b-82c64d RegQueryValueExA 5447->5469 5449->5436 5456 82c82f-82c83b 5449->5456 5474 82c7e5-82c7eb 5450->5474 5473 82c953-82c99b call 8516f0 call 865a30 5454->5473 5455->5454 5462 82c8e4-82c8e8 5455->5462 5463 82c840-82c853 call 851130 5456->5463 5468 82c710-82c715 5460->5468 5470 82c8ea-82c8ec 5462->5470 5471 82c8ed-82c8f0 5462->5471 5478 82c855-82c85b 5463->5478 5475 82c780-82c785 5467->5475 5468->5468 5476 82c717-82c730 call 84fba0 5468->5476 5469->5418 5477 82c64f-82c678 5469->5477 5470->5471 5471->5454 5471->5462 5503 82c9a2-82c9b5 call 851130 5473->5503 5480 82c7f0-82c7f5 5474->5480 5475->5475 5481 82c787-82c7a0 call 84fba0 5475->5481 5490 82c880-82c88b call 811560 5476->5490 5483 82c680-82c699 call 851130 5477->5483 5485 82c860-82c865 5478->5485 5480->5480 5487 82c7f7-82c810 call 84fba0 5480->5487 5481->5490 5496 82c69b-82c6bd RegQueryValueExA 5483->5496 5485->5485 5492 82c867-82c87a call 84fba0 5485->5492 5487->5490 5490->5436 5492->5490 5496->5418 5496->5473 5506 82c9b7-82ca4b call 854510 call 8513d0 call 865a30 5503->5506 5513 82ca50-82ca63 call 851130 5506->5513 5516 82ca65-82caff call 854510 call 8513d0 call 865b90 5513->5516 5523 82cb00-82cb13 call 851130 5516->5523 5526 82cb15-82cbb0 call 854510 call 8513d0 call 865a30 5523->5526 5533 82cbb4-82cbc7 call 851130 5526->5533 5536 82cbc9-82cc3c call 854510 call 8513d0 5533->5536 5541 82cc40-82cc53 call 851130 5536->5541 5544 82cc55-82cc94 call 854510 call 84d320 call 8513d0 5541->5544 5551 82cc96-82cca5 5544->5551 5552 82ccc5-82cced 5544->5552 5553 82cca7-82ccb5 5551->5553 5554 82ccbb-82ccc2 call 8aafb1 5551->5554 5555 82cd1e-82cd46 5552->5555 5556 82ccef-82ccfe 5552->5556 5553->5554 5561 82ce2e-82ce33 call 8c64b0 5553->5561 5554->5552 5559 82cd77-82cd97 5555->5559 5560 82cd48-82cd57 5555->5560 5557 82cd00-82cd0e 5556->5557 5558 82cd14-82cd1b call 8aafb1 5556->5558 5557->5558 5557->5561 5558->5555 5559->5380 5565 82cd59-82cd67 5560->5565 5566 82cd6d-82cd74 call 8aafb1 5560->5566 5565->5561 5565->5566 5566->5559
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?,0092C150,?,B6B8B0B3,B6B8B0B3), ref: 0082C1AC
                                                                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0082C1E7
                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,000000FF), ref: 0082C215
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,B6BEB29A,00000000,00000001,?,00000104,B6BEB29A), ref: 0082C313
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,8F9E9296,00000000,00000001,?,00000104,8F9E9296,?,?,?,?,?,000000F2), ref: 0082C453
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,8F8B928C,00000000,00000001,?,00000104,8F8B928C,?,?,?,?,?,000000F2), ref: 0082C4A3
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,8F9E9296,00000000,00000003,?,00000200,8F9E9296,?,?,?,?,?,000000F2), ref: 0082C569
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,EC8F908F,00000000,00000003,?,00000200,EC8F908F,?,?,?,?,?,000000F2), ref: 0082C5D9
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,8F8B8B97,00000000,00000003,?,00000200,8F8B8B97,?,?,?,?,?,000000F2), ref: 0082C649
                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(000000FF,8F8B928C,00000000,00000003,?,00000200,8F8B928C,?,?,?,?,?,000000F2), ref: 0082C6B9
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(000000FF), ref: 0082CDA1
                                                                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0082CDD4
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0082CDE8
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: QueryValue$CloseEnumOpen
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2041898428-0
                                                                                                                                                                                                                  • Opcode ID: 71e89a40f6ffbdff683c53f40558a4e8fdaeecc70b34c112fcb119ad490d4838
                                                                                                                                                                                                                  • Instruction ID: c39d88faadd1c7548b1a98ee160511a9078ef05813c105514b37e4c4cf2a687a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71e89a40f6ffbdff683c53f40558a4e8fdaeecc70b34c112fcb119ad490d4838
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B082A0708002A89EDF25DFA4DC54BEEBBB4FF15300F1481D9E549A7642EB705A89CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00820DB0 Relevance: 16.3, APIs: 6, Strings: 2, Instructions: 2315stringCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,00842C95), ref: 00820E84
                                                                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,00000000), ref: 00820EFA
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,B7ABBE8F,00000000,?,00000104), ref: 00820FC9
                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00842C95), ref: 0082310F
                                                                                                                                                                                                                    • Part of subcall function 007FB4D0: __fread_nolock.LIBCMT ref: 007FB5CE
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00822441
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 008226F9
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateDirectoryPrivateProfile$FolderNamesPathSectionString__fread_nolocklstrlen
                                                                                                                                                                                                                  • String ID: &$cannot use operator[] with a string argument with
                                                                                                                                                                                                                  • API String ID: 2628882823-967631581
                                                                                                                                                                                                                  • Opcode ID: 8b260b1b3be9e8dbab4ad15460d6646588df9aabf8040d54a58e3f9ed7d30ffb
                                                                                                                                                                                                                  • Instruction ID: c3721fefa51b7417f0f9e3e48844fc90775a9b21649c33fc1e17f7a3c74fcb16
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b260b1b3be9e8dbab4ad15460d6646588df9aabf8040d54a58e3f9ed7d30ffb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A133AF70C042A8DADF15DB68CC58BEEBBB5BF16300F1441D9E449A7242DB745B89CFA2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00826AB0 Relevance: 13.3, APIs: 5, Strings: 2, Instructions: 1028stringCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 6960 826ab0-826b3d call 8abd10 call 8516f0 call 84dd60 6967 826b40-826b53 call 851130 6960->6967 6970 826b55-826bfe call 854510 call 8513d0 call 8c31f0 SHGetFolderPathA call 854270 6967->6970 6979 826c04-826c17 call 851130 6970->6979 6982 826c19-826c68 call 854140 GetPrivateProfileSectionNamesA 6979->6982 6985 826c70-826c79 6982->6985 6986 826c80-826c93 call 851130 6985->6986 6989 826c95-826ca6 call 8ce7ef 6986->6989 6992 82794e-827961 lstrlenA 6989->6992 6993 826cac-826ce0 call 8c31f0 6989->6993 6992->6985 6995 827967-8279a6 call 7f2890 * 3 6992->6995 6998 826ce2-826cf5 call 851130 6993->6998 7004 826cf7-826d2c GetPrivateProfileStringA call 851130 6998->7004 7009 826d30-826d35 7004->7009 7009->7009 7010 826d37-826d48 7009->7010 7011 8279d6 call 7f2210 7010->7011 7012 826d4e-826ddf call 8580d0 call 8541d0 call 7f2890 7010->7012 7015 8279db call 8c64b0 7011->7015 7025 826de0-826de5 7012->7025 7019 8279e0-827a09 call 8519e0 call 7f2790 call 854300 7015->7019 7035 827a0d-827a32 call 7f9a60 call 8c2a3b 7019->7035 7025->7025 7027 826de7-826e1c call 7f2aa0 7025->7027 7033 826e22-826e30 call 8c49e0 7027->7033 7034 826f1d-826f33 7027->7034 7033->7034 7046 826e36-826e3b 7033->7046 7038 826f39-826f47 call 8c49e0 7034->7038 7039 82701e-82703f 7034->7039 7038->7039 7048 826f4d-826f52 7038->7048 7041 827040-827053 call 851130 7039->7041 7053 827055-82707d call 854140 7041->7053 7046->7034 7051 826e41-826e6d call 851130 7046->7051 7048->7039 7052 826f58-826f80 7048->7052 7060 826e74-826e79 7051->7060 7055 826f87-826f8c 7052->7055 7062 827080-827093 call 851130 7053->7062 7055->7055 7058 826f8e-826ff8 call 7f2aa0 call 84fe50 call 7fbd90 7055->7058 7080 827012-827019 call 851d40 7058->7080 7081 826ffa-827001 7058->7081 7060->7060 7063 826e7b-826eee call 7f2aa0 call 84fe50 call 7fbd90 7060->7063 7072 827095-8270b8 call 8c7060 7062->7072 7084 826ef0-826ef7 7063->7084 7085 826f08-826f17 call 851d40 7063->7085 7082 827887-8278a3 call 7f2890 7072->7082 7083 8270be-827185 call 8ca8ee call 8516f0 call 84dd60 call 84d600 call 8513d0 call 804770 7072->7083 7080->7039 7087 827003 7081->7087 7088 827005-82700d call 84fba0 7081->7088 7099 8278d4-8278fc 7082->7099 7100 8278a5-8278b4 7082->7100 7121 82718b-82719b call 827a40 7083->7121 7122 827829-827839 7083->7122 7091 826efb-826f03 call 84fba0 7084->7091 7092 826ef9 7084->7092 7085->7034 7087->7088 7088->7080 7091->7085 7092->7091 7105 8278fe-82790d 7099->7105 7106 82792d-827947 7099->7106 7103 8278b6-8278c4 7100->7103 7104 8278ca-8278d1 call 8aafb1 7100->7104 7103->7015 7103->7104 7104->7099 7107 827923-82792a call 8aafb1 7105->7107 7108 82790f-82791d 7105->7108 7106->6992 7107->7106 7108->7015 7108->7107 7127 8271a0-8271b4 call 851130 7121->7127 7124 827840-827853 call 851130 7122->7124 7129 827855-827882 call 854510 call 84d320 call 8513d0 7124->7129 7133 8271b6-8271d3 call 89bcb0 7127->7133 7129->7082 7139 827822-827824 call 804ac0 7133->7139 7140 8271d9-8271e9 call 887540 7133->7140 7139->7122 7145 82781b-82781d call 8871b0 7140->7145 7146 8271ef-8271f9 call 851130 7140->7146 7145->7139 7150 827200-82724a call 887830 * 2 7146->7150 7155 827250-827255 7150->7155 7155->7155 7156 827257-8272a5 call 7f2aa0 7155->7156 7159 8272b0-8272c9 call 851130 7156->7159 7162 8272cb-8272d5 7159->7162 7163 8272d8-8272dd 7162->7163 7163->7163 7164 8272df-82734e call 859030 7163->7164 7167 827350-827355 7164->7167 7167->7167 7168 827357-82741d call 8523f0 call 89bcb0 call 7f2890 * 2 7167->7168 7177 82744e-82746d 7168->7177 7178 82741f-82742e 7168->7178 7181 827473-827483 call 887540 7177->7181 7182 827805-82780f call 887540 7177->7182 7179 827430-82743e 7178->7179 7180 827444-82744b call 8aafb1 7178->7180 7179->7015 7179->7180 7180->7177 7181->7182 7190 827489 7181->7190 7182->7150 7189 827815 7182->7189 7189->7145 7191 827490-8274da call 887830 call 8516f0 call 865ab0 7190->7191 7198 8274e1-8274f4 call 851130 7191->7198 7201 8274f6-8274fb 7198->7201 7202 827525 7201->7202 7203 8274fd-827523 call 8516f0 7201->7203 7205 827528-82752a 7202->7205 7203->7205 7207 827530-827551 7205->7207 7208 8279a7-8279d4 call 8519e0 call 7f2790 call 854300 7205->7208 7210 827554-827559 7207->7210 7208->7035 7210->7210 7211 82755b-82758e call 7f2aa0 call 857a90 7210->7211 7221 827590-82759f 7211->7221 7222 8275bf-827679 call 8513d0 call 8ceb37 call 8e67b0 call 865b70 7211->7222 7223 8275a1-8275af 7221->7223 7224 8275b5-8275bc call 8aafb1 7221->7224 7235 827680-827693 call 851130 7222->7235 7223->7015 7223->7224 7224->7222 7238 827695-82769a 7235->7238 7239 8276c4 7238->7239 7240 82769c-8276c2 call 8516f0 7238->7240 7242 8276c7-8276c9 7239->7242 7240->7242 7242->7019 7244 8276cf-8276f0 7242->7244 7245 8276f3-8276f8 7244->7245 7245->7245 7246 8276fa-82772d call 7f2aa0 call 857a90 7245->7246 7251 82775e-8277f9 call 8513d0 call 84d600 call 84d320 call 8513d0 call 887540 7246->7251 7252 82772f-82773e 7246->7252 7251->7191 7267 8277ff 7251->7267 7253 827740-82774e 7252->7253 7254 827754-82775b call 8aafb1 7252->7254 7253->7015 7253->7254 7254->7251 7267->7182
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00826BC5
                                                                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00826C56
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,B7ABBE8F,00000000,?,00000104), ref: 00826D0B
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00827644
                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0082794F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                                                                                                  • String ID: #$cannot use operator[] with a string argument with
                                                                                                                                                                                                                  • API String ID: 3203477177-740485285
                                                                                                                                                                                                                  • Opcode ID: 394daf887a3cf2622c1c7deb9ae54b77c391e50210ebe14310f5ccac1a879f21
                                                                                                                                                                                                                  • Instruction ID: c0ae4ea5267a74e100062ac21ada826681f3c19078c94dc9501a1dd3670d4370
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 394daf887a3cf2622c1c7deb9ae54b77c391e50210ebe14310f5ccac1a879f21
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BA2AD70D042A8CEDF25DB68D855BEDBBB4BF15300F1481D9E449A7282DB745B88CFA2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008241F0 Relevance: 11.7, APIs: 4, Strings: 2, Instructions: 1172stringCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00824306
                                                                                                                                                                                                                  • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00824397
                                                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,B7ABBE8F,00000000,?,00000104), ref: 0082444B
                                                                                                                                                                                                                    • Part of subcall function 00804AC0: __Mtx_unlock.LIBCPMT ref: 00804B58
                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00825318
                                                                                                                                                                                                                    • Part of subcall function 008C2A3B: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000000,?,?,?,008A919F,00000000,00926D34,?,00000000), ref: 008C2A9B
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: PrivateProfile$ExceptionFolderMtx_unlockNamesPathRaiseSectionStringlstrlen
                                                                                                                                                                                                                  • String ID: '$cannot use operator[] with a string argument with
                                                                                                                                                                                                                  • API String ID: 3748818436-1348476624
                                                                                                                                                                                                                  • Opcode ID: 9999f7f40e591aceccccdf07a9c1b657f9006e35fd070741e44fef400f0d0e4c
                                                                                                                                                                                                                  • Instruction ID: 9718c66f2e6da8b9410729f629bda8989e6e87817b4774f89624a910291c9ed0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9999f7f40e591aceccccdf07a9c1b657f9006e35fd070741e44fef400f0d0e4c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7B2CF30D042A9CEDF15DB68D958BEDBBB5BF16300F1482D9D449A7282DB705B88CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008182C0 Relevance: 11.0, APIs: 2, Strings: 3, Instructions: 2240COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000000,?,?), ref: 0081839B
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008199A5
                                                                                                                                                                                                                    • Part of subcall function 008C2A3B: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000000,?,?,?,008A919F,00000000,00926D34,?,00000000), ref: 008C2A9B
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ExceptionFolderPathRaiseUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                  • String ID: @$cannot use operator[] with a string argument with $g
                                                                                                                                                                                                                  • API String ID: 3139777191-1098361084
                                                                                                                                                                                                                  • Opcode ID: 8824186084cc1f5ba49ceab70d86034e3e6dfdc08ee28ef30ae511f3280c46ad
                                                                                                                                                                                                                  • Instruction ID: 1b1e355fdb5083fc60c23c20a58e1d99ef6c710c98bf247a6142ba40a7588567
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8824186084cc1f5ba49ceab70d86034e3e6dfdc08ee28ef30ae511f3280c46ad
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A23DF70C0029CDADF15DB68C8597EEBBB9BF15304F1481D8E449A7282DB745F89CBA2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0081E200 Relevance: 8.5, APIs: 1, Strings: 3, Instructions: 1486COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0081E2DA
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                                                                  • String ID: +$-$@
                                                                                                                                                                                                                  • API String ID: 1514166925-3905070308
                                                                                                                                                                                                                  • Opcode ID: 04a8446379e66926836ae0b1293aff3ce797380ce4fb2ba9fe2558bfb69ed196
                                                                                                                                                                                                                  • Instruction ID: 9bc7b1bcaf302547f2d56cc4cea96f463b0e2b940959239f8f897f1b55f4cce9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04a8446379e66926836ae0b1293aff3ce797380ce4fb2ba9fe2558bfb69ed196
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26E2CD70D00258CBDF28DF68C8587EEBBB5FF55304F1442D9E449AB282DB745A89CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0081E250 Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1231COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0081E2DA
                                                                                                                                                                                                                    • Part of subcall function 00811B60: FindFirstFileA.KERNEL32(?,0000F583,?,0000F583,?,?,0000F583,0000F584,0000F583,?), ref: 00811C65
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FileFindFirstFolderPath
                                                                                                                                                                                                                  • String ID: +$-$@
                                                                                                                                                                                                                  • API String ID: 2195519125-3905070308
                                                                                                                                                                                                                  • Opcode ID: 06bb83ce65bad577b0812da5f439cab329b20480116cabbb5e9c93ccca156449
                                                                                                                                                                                                                  • Instruction ID: 04aaa41df1399f4c90ebbbdd472e85f2ed59ed9f6536b334a5a5aad4baaea1d2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06bb83ce65bad577b0812da5f439cab329b20480116cabbb5e9c93ccca156449
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23C2AC70C00298CBEF25DB68C8587EEBBB5FF55304F1442E9D449AB282DB745B89CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0081A530 Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 875COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,ABACB6B7,ABACB6B7), ref: 0081A63E
                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0081AF32
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • , xrefs: 0081AFBF
                                                                                                                                                                                                                  • cannot use operator[] with a string argument with , xrefs: 0081B16B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FolderPathUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                  • String ID: $cannot use operator[] with a string argument with
                                                                                                                                                                                                                  • API String ID: 2082173394-2524441778
                                                                                                                                                                                                                  • Opcode ID: 31fcd968954ee1101e3a3d827ec14bc312c6a560f7454818abf626149bb0ed31
                                                                                                                                                                                                                  • Instruction ID: 957b3dc46d7ecad525a670caee79145bfb4bcb007d1559361d9beb39bdaf28b0
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31fcd968954ee1101e3a3d827ec14bc312c6a560f7454818abf626149bb0ed31
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4782AD71D01258DFDF18DBA8C954BEDBBB5BF15304F148198E449BB282DB706E88CB92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00814BC0 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 887COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00814CE5
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  • , xrefs: 0081566F
                                                                                                                                                                                                                  • cannot use operator[] with a string argument with , xrefs: 0081582D
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                                                                  • String ID: $cannot use operator[] with a string argument with
                                                                                                                                                                                                                  • API String ID: 1514166925-2524441778
                                                                                                                                                                                                                  • Opcode ID: 8702bb355791b7429106964f8b80f47fbbd81404c16e9eeade1ce08ddcdf55ca
                                                                                                                                                                                                                  • Instruction ID: b109f60e7cac4f649b282996f729388b894964283e099726e9ee5ce401ccaa40
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8702bb355791b7429106964f8b80f47fbbd81404c16e9eeade1ce08ddcdf55ca
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE82AD71D04298CFDF14DBA8C854BEDBBB5FF55304F188298E449B7282DB706A89CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00800520 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 863COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000003,00000001), ref: 00800575
                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?,?,00000003,00000001), ref: 00800598
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                                                                  • String ID: q
                                                                                                                                                                                                                  • API String ID: 1514166925-4110462503
                                                                                                                                                                                                                  • Opcode ID: 962745b759a4f8e96f3bf021c9d8de00379e8c214c3e8d88a0de436f01b9d347
                                                                                                                                                                                                                  • Instruction ID: c2b05c6958dfdf81b021b7a9869231f437c92c4c7956368b4c5cff9f3b0ffe0a
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 962745b759a4f8e96f3bf021c9d8de00379e8c214c3e8d88a0de436f01b9d347
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E682B070C1428CCADF15DFA4C9587EDBBB4BF1A304F14829DD44667292EB742B89CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008DAC6A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,008DB0AF,00000000,00000000,00000000), ref: 008DAF6E
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InformationTimeZone
                                                                                                                                                                                                                  • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                                                                  • API String ID: 565725191-690618308
                                                                                                                                                                                                                  • Opcode ID: b919150e496d7d33fd0ebdc7982a04401ab2a0cea48d6dc1e5c58c36036e3f0b
                                                                                                                                                                                                                  • Instruction ID: e413d40c3727de3a845ed03f88631c2147635aab1ca871787630f6b8ffb1b63e
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b919150e496d7d33fd0ebdc7982a04401ab2a0cea48d6dc1e5c58c36036e3f0b
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6C11672900115AFCB28AB69DC02ABE77B9FF04720F254257F911EB381EB708E41D792
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008466C0 Relevance: 4.3, APIs: 2, Instructions: 1343COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0084679E
                                                                                                                                                                                                                    • Part of subcall function 007FB990: FindFirstFileA.KERNEL32(00000000,00000004,008E8953,?,?,?,\*.*,00000004,?,74DF3100), ref: 007FBAA1
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00846DB6
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateDirectory$FileFindFirst
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2788900106-0
                                                                                                                                                                                                                  • Opcode ID: 5471feddfdea4af58a829ff587942b026bf4972ab8cf2352425cf528a6093af0
                                                                                                                                                                                                                  • Instruction ID: 8a4bd73d43d70a153e8c213e6fb8bcc8e6a5de1eaac353bdbb2216b65bfaf215
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5471feddfdea4af58a829ff587942b026bf4972ab8cf2352425cf528a6093af0
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8D29E308086DD8ECF25D7788C497EDBB70AF26314F1442DDE599A72D2EB344A85CB62
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00844190 Relevance: 2.9, APIs: 1, Instructions: 1419COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0084425B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4241100979-0
                                                                                                                                                                                                                  • Opcode ID: 55e577050a66ec0a420089509475b17530a248d330d2215cd7ebd9329ffd6d5c
                                                                                                                                                                                                                  • Instruction ID: ad22364bc0ee4e3c54cdc935aaa9afa4e003d94319fc7d5fd4cf49c93dd17f6b
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55e577050a66ec0a420089509475b17530a248d330d2215cd7ebd9329ffd6d5c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7E260308087DE8ECF25D7788C487DDBB74AF26314F5442D9E1A9A72D2D7344A86CB62
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D08B9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 5933 8d08b9-8d08e9 call 8d0607 5936 8d08eb-8d08f6 call 8cef2d 5933->5936 5937 8d0904-8d0910 call 8dc2d6 5933->5937 5942 8d08f8-8d08ff call 8cef40 5936->5942 5943 8d0929-8d0972 call 8d0572 5937->5943 5944 8d0912-8d0927 call 8cef2d call 8cef40 5937->5944 5953 8d0bde-8d0be2 5942->5953 5951 8d09df-8d09e8 GetFileType 5943->5951 5952 8d0974-8d097d 5943->5952 5944->5942 5957 8d09ea-8d0a1b GetLastError call 8ceee6 CloseHandle 5951->5957 5958 8d0a31-8d0a34 5951->5958 5955 8d097f-8d0983 5952->5955 5956 8d09b4-8d09da GetLastError call 8ceee6 5952->5956 5955->5956 5962 8d0985-8d09b2 call 8d0572 5955->5962 5956->5942 5957->5942 5972 8d0a21-8d0a2c call 8cef40 5957->5972 5960 8d0a3d-8d0a43 5958->5960 5961 8d0a36-8d0a3b 5958->5961 5965 8d0a47-8d0a95 call 8dc221 5960->5965 5966 8d0a45 5960->5966 5961->5965 5962->5951 5962->5956 5976 8d0ab4-8d0adc call 8d031c 5965->5976 5977 8d0a97-8d0aa3 call 8d0781 5965->5977 5966->5965 5972->5942 5982 8d0ade-8d0adf 5976->5982 5983 8d0ae1-8d0b22 5976->5983 5977->5976 5984 8d0aa5 5977->5984 5985 8d0aa7-8d0aaf call 8d6832 5982->5985 5986 8d0b24-8d0b28 5983->5986 5987 8d0b43-8d0b51 5983->5987 5984->5985 5985->5953 5986->5987 5988 8d0b2a-8d0b3e 5986->5988 5989 8d0bdc 5987->5989 5990 8d0b57-8d0b5b 5987->5990 5988->5987 5989->5953 5990->5989 5992 8d0b5d-8d0b90 CloseHandle call 8d0572 5990->5992 5996 8d0bc4-8d0bd8 5992->5996 5997 8d0b92-8d0bbe GetLastError call 8ceee6 call 8dc3e9 5992->5997 5996->5989 5997->5996
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 008D0572: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 008D058F
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 008D09CD
                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 008D09D4
                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 008D09E0
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 008D09EA
                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 008D09F3
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 008D0A13
                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 008D0B60
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 008D0B92
                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 008D0B99
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                  • Opcode ID: 4a9c507240cc03ab5753dc227c13fa7fb1ee5e0839bd0ce40d082eed0cc2be38
                                                                                                                                                                                                                  • Instruction ID: 75f2c3c6793683d638a20b00e0335a1e17407dc1df87a6a325c6e984a4793623
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a9c507240cc03ab5753dc227c13fa7fb1ee5e0839bd0ce40d082eed0cc2be38
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2A136319142199FCF19AF68DC52BAD3BE1FB06324F14025EF811EB392DB359812DB52
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0080E020 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 421sleepnetworkCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 7345 80e020-80e09a call 7f8ca0 call 84fe50 * 2 7352 80e0a0-80e0a3 7345->7352 7353 80e1c9-80e365 call 7f2890 call 8ab600 7345->7353 7354 80e0a6-80e0c9 7352->7354 7369 80e367-80e379 7353->7369 7370 80e37b-80e383 call 852390 7353->7370 7356 80e0da-80e0e7 7354->7356 7357 80e0cb-80e0d5 7354->7357 7360 80e0f8-80e105 7356->7360 7361 80e0e9-80e0f3 7356->7361 7359 80e1b9-80e1bc 7357->7359 7363 80e1bf-80e1c3 7359->7363 7364 80e116-80e123 7360->7364 7365 80e107-80e111 7360->7365 7361->7359 7363->7353 7363->7354 7367 80e134-80e141 7364->7367 7368 80e125-80e12f 7364->7368 7365->7359 7371 80e143-80e14d 7367->7371 7372 80e14f-80e15c 7367->7372 7368->7359 7373 80e388-80e3da call 7f8ca0 call 7f8de0 7369->7373 7370->7373 7371->7359 7376 80e16a-80e177 7372->7376 7377 80e15e-80e168 7372->7377 7386 80e3e0-80e4aa call 8ab600 call 8c2ab0 7373->7386 7387 80e4ad-80e4c3 call 7f8ca0 7373->7387 7378 80e185-80e192 7376->7378 7379 80e179-80e183 7376->7379 7377->7359 7381 80e1a0-80e1aa 7378->7381 7382 80e194-80e19e 7378->7382 7379->7359 7381->7363 7385 80e1ac-80e1b5 7381->7385 7382->7359 7385->7359 7386->7387 7393 80e4c5-80e4cb 7387->7393 7394 80e4f9-80e503 7387->7394 7398 80e4d0-80e4ee send 7393->7398 7395 80e5a7-80e5d2 call 7f2890 7394->7395 7396 80e509-80e515 7394->7396 7410 80e5d4-80e5da 7395->7410 7411 80e5ed-80e5fc 7395->7411 7400 80e51b-80e529 7396->7400 7401 80e59d-80e5a4 call 8aafb1 7396->7401 7402 80e4f0-80e4f7 7398->7402 7403 80e531-80e53b 7398->7403 7405 80e5fd-80e602 call 8c64b0 7400->7405 7406 80e52f 7400->7406 7401->7395 7402->7394 7402->7398 7407 80e569-80e59c call 7f2890 7403->7407 7408 80e53d-80e549 7403->7408 7406->7401 7412 80e54b-80e559 7408->7412 7413 80e55f-80e566 call 8aafb1 7408->7413 7417 80e5e0-80e5eb Sleep 7410->7417 7412->7405 7412->7413 7413->7407 7417->7411 7417->7417
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080E34C
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080E48B
                                                                                                                                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 0080E4E9
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,?,?,0000000A,00000000,?), ref: 0080E5E2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldiv$Sleepsend
                                                                                                                                                                                                                  • String ID: 131$2$2
                                                                                                                                                                                                                  • API String ID: 1279978859-383009711
                                                                                                                                                                                                                  • Opcode ID: cab190684945e1cd1788ba8ce6c050557eeff60937379059075bbfce8ce44843
                                                                                                                                                                                                                  • Instruction ID: 7a57b74368a76ce2c10ff33bf861ebfe587c9d5aeb9593ecc7d966e16bd7df17
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cab190684945e1cd1788ba8ce6c050557eeff60937379059075bbfce8ce44843
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF126770E00258CFEF15CFA8C9647EEBBB1FB59314F208659D411BB282D7751986CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0080E610 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 421sleepnetworkCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 7422 80e610-80e68a call 7f8ca0 call 84fe50 * 2 7429 80e690-80e693 7422->7429 7430 80e7b9-80e955 call 7f2890 call 8ab600 7422->7430 7432 80e696-80e6b9 7429->7432 7446 80e957-80e969 7430->7446 7447 80e96b-80e973 call 852390 7430->7447 7433 80e6ca-80e6d7 7432->7433 7434 80e6bb-80e6c5 7432->7434 7437 80e6e8-80e6f5 7433->7437 7438 80e6d9-80e6e3 7433->7438 7436 80e7a9-80e7ac 7434->7436 7440 80e7af-80e7b3 7436->7440 7441 80e706-80e713 7437->7441 7442 80e6f7-80e701 7437->7442 7438->7436 7440->7430 7440->7432 7444 80e724-80e731 7441->7444 7445 80e715-80e71f 7441->7445 7442->7436 7448 80e733-80e73d 7444->7448 7449 80e73f-80e74c 7444->7449 7445->7436 7450 80e978-80e9ca call 7f8ca0 call 7f8de0 7446->7450 7447->7450 7448->7436 7452 80e75a-80e767 7449->7452 7453 80e74e-80e758 7449->7453 7463 80e9d0-80ea9a call 8ab600 call 8c2ab0 7450->7463 7464 80ea9d-80eab3 call 7f8ca0 7450->7464 7455 80e775-80e782 7452->7455 7456 80e769-80e773 7452->7456 7453->7436 7458 80e790-80e79a 7455->7458 7459 80e784-80e78e 7455->7459 7456->7436 7458->7440 7461 80e79c-80e7a5 7458->7461 7459->7436 7461->7436 7463->7464 7470 80eab5-80eabb 7464->7470 7471 80eae9-80eaf3 7464->7471 7473 80eac0-80eade send 7470->7473 7474 80eb97-80ebc2 call 7f2890 7471->7474 7475 80eaf9-80eb05 7471->7475 7476 80eae0-80eae7 7473->7476 7477 80eb21-80eb2b 7473->7477 7492 80ebc4-80ebca 7474->7492 7493 80ebdd-80ebec 7474->7493 7479 80eb0b-80eb19 7475->7479 7480 80eb8d-80eb94 call 8aafb1 7475->7480 7476->7471 7476->7473 7481 80eb59-80eb8c call 7f2890 7477->7481 7482 80eb2d-80eb39 7477->7482 7485 80ebed-80ebf2 call 8c64b0 7479->7485 7486 80eb1f 7479->7486 7480->7474 7487 80eb3b-80eb49 7482->7487 7488 80eb4f-80eb56 call 8aafb1 7482->7488 7486->7480 7487->7485 7487->7488 7488->7481 7497 80ebd0-80ebdb Sleep 7492->7497 7497->7493 7497->7497
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080E93C
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080EA7B
                                                                                                                                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 0080EAD9
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,?,?,0000000A,00000000,?), ref: 0080EBD2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldiv$Sleepsend
                                                                                                                                                                                                                  • String ID: 131$2$2
                                                                                                                                                                                                                  • API String ID: 1279978859-383009711
                                                                                                                                                                                                                  • Opcode ID: 9ed1f53992f88bc53ec071ce051d2fe1b57b7c38e789c23665ea2228f4816257
                                                                                                                                                                                                                  • Instruction ID: b8cde653c0f1178b2b1bf4ae65957bcfbdc096119b6ac6a732e48083bf703ce2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ed1f53992f88bc53ec071ce051d2fe1b57b7c38e789c23665ea2228f4816257
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0125670E00258CFEF15CFA8C9A47AEBBB1FB59314F208659D411BB282D7751985CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0080EC00 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 421sleepnetworkCOMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 7499 80ec00-80ec7a call 7f8ca0 call 84fe50 * 2 7506 80ec80-80ec83 7499->7506 7507 80eda9-80ef45 call 7f2890 call 8ab600 7499->7507 7508 80ec86-80eca9 7506->7508 7523 80ef47-80ef59 7507->7523 7524 80ef5b-80ef63 call 852390 7507->7524 7511 80ecba-80ecc7 7508->7511 7512 80ecab-80ecb5 7508->7512 7515 80ecd8-80ece5 7511->7515 7516 80ecc9-80ecd3 7511->7516 7514 80ed99-80ed9c 7512->7514 7518 80ed9f-80eda3 7514->7518 7519 80ecf6-80ed03 7515->7519 7520 80ece7-80ecf1 7515->7520 7516->7514 7518->7507 7518->7508 7521 80ed14-80ed21 7519->7521 7522 80ed05-80ed0f 7519->7522 7520->7514 7525 80ed23-80ed2d 7521->7525 7526 80ed2f-80ed3c 7521->7526 7522->7514 7527 80ef68-80efba call 7f8ca0 call 7f8de0 7523->7527 7524->7527 7525->7514 7529 80ed4a-80ed57 7526->7529 7530 80ed3e-80ed48 7526->7530 7540 80efc0-80f08a call 8ab600 call 8c2ab0 7527->7540 7541 80f08d-80f0a3 call 7f8ca0 7527->7541 7532 80ed65-80ed72 7529->7532 7533 80ed59-80ed63 7529->7533 7530->7514 7535 80ed80-80ed8a 7532->7535 7536 80ed74-80ed7e 7532->7536 7533->7514 7535->7518 7539 80ed8c-80ed95 7535->7539 7536->7514 7539->7514 7540->7541 7546 80f0a5-80f0ab 7541->7546 7547 80f0d9-80f0e3 7541->7547 7549 80f0b0-80f0ce send 7546->7549 7550 80f187-80f1b2 call 7f2890 7547->7550 7551 80f0e9-80f0f5 7547->7551 7553 80f0d0-80f0d7 7549->7553 7554 80f111-80f11b 7549->7554 7566 80f1b4-80f1ba 7550->7566 7567 80f1cd-80f1dc 7550->7567 7556 80f0fb-80f109 7551->7556 7557 80f17d-80f184 call 8aafb1 7551->7557 7553->7547 7553->7549 7562 80f149-80f17c call 7f2890 7554->7562 7563 80f11d-80f129 7554->7563 7560 80f1dd-80f1e2 call 8c64b0 7556->7560 7561 80f10f 7556->7561 7557->7550 7561->7557 7568 80f12b-80f139 7563->7568 7569 80f13f-80f146 call 8aafb1 7563->7569 7572 80f1c0-80f1cb Sleep 7566->7572 7568->7560 7568->7569 7569->7562 7572->7567 7572->7572
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080EF2C
                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 0080F06B
                                                                                                                                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 0080F0C9
                                                                                                                                                                                                                  • Sleep.KERNEL32(00000064,?,?,0000000A,00000000,?), ref: 0080F1C2
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __aulldiv$Sleepsend
                                                                                                                                                                                                                  • String ID: 131$2$2
                                                                                                                                                                                                                  • API String ID: 1279978859-383009711
                                                                                                                                                                                                                  • Opcode ID: 83f0feac07bc77def9248e8e32790dabf725159f6f340d70c354e4a7c0709e34
                                                                                                                                                                                                                  • Instruction ID: c27bc4ccaf7397e0fc09c614a5ac4d0ac8554e8a2af930a59f9db50e12654226
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83f0feac07bc77def9248e8e32790dabf725159f6f340d70c354e4a7c0709e34
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28126970E00258CFEF15CFA8C9647EEBBB1FB59304F208659D811BB682D7751985CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007F8420 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 496COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?), ref: 007F874F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                  • String ID: *$.zip$/$\$recursive_directory_iterator::recursive_directory_iterator
                                                                                                                                                                                                                  • API String ID: 3188754299-893826777
                                                                                                                                                                                                                  • Opcode ID: 4992ca970fcd72a2d68b3500779211cad57caebb805549af28dfaf153d57fc8c
                                                                                                                                                                                                                  • Instruction ID: 71ff4d92ada0105a8be54fbb3ae4a6e20e3771aff877ae09b7c6f833c6efdf1c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4992ca970fcd72a2d68b3500779211cad57caebb805549af28dfaf153d57fc8c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4324970C0129DCFDF11DBA8C958BEDBBB0BF15308F148198E50967292EB745B89CB92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D6373 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 429cab106c66c7b85b61f6e790a2de079be741a6dc8bf8974b1ecd7394cd2296
                                                                                                                                                                                                                  • Instruction ID: 8cb75b64f34483d4479dc1a2e2528f97681137ac8eb846e814f73225b4d5802d
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 429cab106c66c7b85b61f6e790a2de079be741a6dc8bf8974b1ecd7394cd2296
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EB1DEB0A0424DABDB11DFACE841BAE7BB1FF55314F14429AE401D7392EB70D952CB61
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007FCB40 Relevance: 6.4, APIs: 4, Instructions: 388registryCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 007FB6A0: GetCurrentProcess.KERNEL32(?), ref: 007FB6AF
                                                                                                                                                                                                                    • Part of subcall function 007FB6A0: IsWow64Process.KERNEL32(00000000), ref: 007FB6B6
                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000,?,B1B4B18A,B1B4B18B,B1B4B18A), ref: 007FCC3E
                                                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(00000000,B7BCBE92,00000000,00020019,B7BCBE92,00000400,B7BCBE92), ref: 007FCC9E
                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 007FCCCD
                                                                                                                                                                                                                  • GetCurrentHwProfileA.ADVAPI32(?), ref: 007FCD47
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CurrentProcess$CloseOpenProfileQueryValueWow64
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 165412945-0
                                                                                                                                                                                                                  • Opcode ID: 24888778ed0c2b8ad98cea5e246e2fcae2dec08a88548392f5c3921c15f22a33
                                                                                                                                                                                                                  • Instruction ID: df3d3ffec2369fbbfb90f6601145fe405cf4ae1d86b2d500b09a2d868d95ba75
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24888778ed0c2b8ad98cea5e246e2fcae2dec08a88548392f5c3921c15f22a33
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91F1E271C0024CDEDF15DBA4C948BFEBBB4AF15304F148299E545A7282EB745B89CFA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0087A540 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0087A55F
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0087A56A
                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0087A592
                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0087A59C
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2170121939-0
                                                                                                                                                                                                                  • Opcode ID: 84fe68c976e08542cd647d48b70fe8797a666a5fdc5e1dcbab7cc7ea48d55609
                                                                                                                                                                                                                  • Instruction ID: d60d9094f9200b38b54501394fe1658a47c7cecd4f88571a0db3aaf1b55b6fde
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84fe68c976e08542cd647d48b70fe8797a666a5fdc5e1dcbab7cc7ea48d55609
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D114F72600109ABCB108FA9EC05FAABBA8FF44371F108266FD2CD6250E771D9608BD1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008067D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38processsynchronizationCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00806817
                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00806827
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateObjectProcessSingleWait
                                                                                                                                                                                                                  • String ID: D
                                                                                                                                                                                                                  • API String ID: 623904672-2746444292
                                                                                                                                                                                                                  • Opcode ID: 7b8d3cdb9d6ac72eee87ecbf20d348e91f5585239418de5ba6510d0eb9311b28
                                                                                                                                                                                                                  • Instruction ID: a6880fb51cbd9da76aa2835fc21659f77cb5ad0b6f6fbd4b3cc47363b39536f3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b8d3cdb9d6ac72eee87ecbf20d348e91f5585239418de5ba6510d0eb9311b28
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46F09671E4031976EB10DBA08C06FEE7778FF05B10F204326FA14BA1D0FBB069548699
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D031C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 008D058F
                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                  • API String ID: 823142352-2766056989
                                                                                                                                                                                                                  • Opcode ID: 60cceb3e09acaea798488a2cf8c2f79e6bde609417a4c11fd7a140bc77c9a5cd
                                                                                                                                                                                                                  • Instruction ID: 5abc2f3ce7476666d143405dc0b35626cbc62139183acf9a6ddd8ce1cd564503
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60cceb3e09acaea798488a2cf8c2f79e6bde609417a4c11fd7a140bc77c9a5cd
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6461F67190010DABDB299A68EC45FBE3B65FB10328F284367FA14E6391E274CD90DE55
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007FC5E0 Relevance: 3.3, APIs: 2, Instructions: 274COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007FC668
                                                                                                                                                                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 007FC869
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DirectoryInformationVolumeWindows
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3487004747-0
                                                                                                                                                                                                                  • Opcode ID: adfb82174a891bf604bab1f724be4c1894d48d3dd79da5611a909027a3efdea5
                                                                                                                                                                                                                  • Instruction ID: 033139d83e5e2e3de1fc9ffc1803d50dd95168c367c4dbb0be597b985bb3dbd3
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: adfb82174a891bf604bab1f724be4c1894d48d3dd79da5611a909027a3efdea5
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FB1E070C0024DDADF05DFA8C9197FEBBB4AF05304F14829DE541A7282E7B96649CBA1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00804770 Relevance: 3.3, APIs: 2, Instructions: 251fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00820B4B,?,00000000), ref: 00804959
                                                                                                                                                                                                                  • __Mtx_unlock.LIBCPMT ref: 00804A37
                                                                                                                                                                                                                    • Part of subcall function 00804750: CopyFileA.KERNEL32(00820B4B,?,00000000), ref: 0080475F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CopyFile$Mtx_unlock
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 741997458-0
                                                                                                                                                                                                                  • Opcode ID: 81da3694fada472d18b7e22655cacefad3d9cb5e4c78387165462f805dd03308
                                                                                                                                                                                                                  • Instruction ID: d91687af1cca20bb31b10d2bd67a98277b6dd3bf30866bb97adeccb10f678603
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81da3694fada472d18b7e22655cacefad3d9cb5e4c78387165462f805dd03308
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3A1CC70D04249DFDF04DFA8C9057EEBBB4FF55304F208298E845A7292EB756A49CB92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0084E380 Relevance: 3.2, APIs: 2, Instructions: 185COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                                                                  • Opcode ID: 6cda157f4a4b1a36b927ebdad4d4bdf8fdca06a8cc9179dec38855276fef4ba4
                                                                                                                                                                                                                  • Instruction ID: 6158e6984b204e4251e37e20bdbae6ae578d3be5e217d9e843617f2d27ae1448
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cda157f4a4b1a36b927ebdad4d4bdf8fdca06a8cc9179dec38855276fef4ba4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C6129326046198FCB15CF2CD88096AB7E1FF84724F0586A9FC58CB355EB31DC188B96
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00804AC0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Mtx_unlock
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1418687624-0
                                                                                                                                                                                                                  • Opcode ID: 54613f36ec0cff667442c4e40474c1eeb925c29ff83d5611d2ebc3eadbda4bd2
                                                                                                                                                                                                                  • Instruction ID: 2b7740045e689b6f8b387332db77e733ab408fbab98fafc57a48e79e2517a4ae
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54613f36ec0cff667442c4e40474c1eeb925c29ff83d5611d2ebc3eadbda4bd2
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B441E0B1E002158BDB28DFACDD1176EB7B1FB84710F04062DE905A7782DB71A901CBD2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 0087ADB0 Relevance: 3.1, APIs: 2, Instructions: 124fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,00000003,00000000,BFFFFFFD,00000000,00000000), ref: 0087AE6F
                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,?,00000003,00000000,BFFFFFFD,00000000,00000000), ref: 0087AE77
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: 58dc1b94d8a30d12049011df103cd8c2b80640885245f793b3ed6a9ba827cffa
                                                                                                                                                                                                                  • Instruction ID: 5cccc2f99d54b31c448c5780120f6c6ea40a883b43bdb55c6fa0de6944937a09
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58dc1b94d8a30d12049011df103cd8c2b80640885245f793b3ed6a9ba827cffa
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2741AB726043058BDB149F29D842B6EBBE5FBC4364F048A2EF99DC7280E735D9548B92
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00806580 Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32 ref: 00806608
                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 008066F5
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AttributesCreateDirectoryFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3401506121-0
                                                                                                                                                                                                                  • Opcode ID: a8fff2c5abd8ff55ce97f4a8a32e66e993953e45b0907d2607781f647dac982d
                                                                                                                                                                                                                  • Instruction ID: 978a61c5bc3f38202d4d2e3f1253559558c63ab0602f267c96fb89e8b86b2fa7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8fff2c5abd8ff55ce97f4a8a32e66e993953e45b0907d2607781f647dac982d
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1941CE70A086549BDB24CF68DC04BACB7B0FF55720F24072AF461D76C0E775A9A2DB80
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D0102 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00927188,008AA051,00000002,008AA051,00000000,?,?,?,008D020C,00000000,?,008AA051,00000002,00927188), ref: 008D013E
                                                                                                                                                                                                                  • GetLastError.KERNEL32(008AA051,?,?,?,008D020C,00000000,?,008AA051,00000002,00927188,00000000,008AA051,00000000,00927188,0000000C,008CAE64), ref: 008D014B
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                                                                  • Opcode ID: 000a90af13e1d826ad071055e9234e3dea9a553f540bde44c91570e0887fbf6a
                                                                                                                                                                                                                  • Instruction ID: 9d097bb55e3603b2897908f772ea7000ceca11888cec47bf924f2afd0d9d1386
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 000a90af13e1d826ad071055e9234e3dea9a553f540bde44c91570e0887fbf6a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C01C03261411AAFCF058F69DC56EAE3B69FB85320F240349F811DB291FA71E952DB90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D8B03 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,008E09F9,?,00000000,?,?,008E0C9A,?,00000007,?,?,008E118E,?,?), ref: 008D8B19
                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,008E09F9,?,00000000,?,?,008E0C9A,?,00000007,?,?,008E118E,?,?), ref: 008D8B24
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                                                  • Opcode ID: f975a906bcd4c5415a6b81cd493b38d9be864180cb219b8080a07f5f1dcc9113
                                                                                                                                                                                                                  • Instruction ID: 64d567c4f9ab3d23d913f02d0daeba3989c02c95023e46ebbaa4cd6177491bab
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f975a906bcd4c5415a6b81cd493b38d9be864180cb219b8080a07f5f1dcc9113
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AE0C272100204ABCB212FB4EC08F9E3BA8FB503A1F25456AF608D6171DF30C990CBC1
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008C6642 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 39dd24b4262e1646eddc6203047e57181426fc7dff8b781c1a687b0330e7a6cb
                                                                                                                                                                                                                  • Instruction ID: 2589147ed8ceefe43826aa7da87e541d4bebe2a122c728ceaa3012952bb434e5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39dd24b4262e1646eddc6203047e57181426fc7dff8b781c1a687b0330e7a6cb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72519374A00108AFDB14DF58C885FA97BF1FF49328F24866CE8099B252E631DE61CB91
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D8768 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                  • Opcode ID: 1d95478b8d949e74bb9d9d3721d3154f21b58da919f554f8dc334d8be07dec8a
                                                                                                                                                                                                                  • Instruction ID: 87307ed616c20aba3039cc2760e35fe32fba23f0d340961f32de77e73ac81e37
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d95478b8d949e74bb9d9d3721d3154f21b58da919f554f8dc334d8be07dec8a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53111871A0410AAFCF05DF58E94199A7BF4FF48304F14406AF809EB351D670D911CB65
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 007FC540 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(008F6520,00000000,00000000), ref: 007FC573
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: ClassDevsSetup
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2330331845-0
                                                                                                                                                                                                                  • Opcode ID: ed491d07d481f551cf7b0d876143e69235ce0ac629fc88ccca5e92b760ac59f4
                                                                                                                                                                                                                  • Instruction ID: 1061c7fc0b99947b4f5bf2cb9aeed1a27a9c7a0a0c5c2c084d5d97534db7d16c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed491d07d481f551cf7b0d876143e69235ce0ac629fc88ccca5e92b760ac59f4
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F501DFB0A447589BE3208F24D90576BBBB0FB01B24F20071DE565977C0E3F96A4887D2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D8143 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,008D7AC9,00000001,00000364,00000001,00000006,000000FF,?,008C237D,00000002,00000000,?,?), ref: 008D8184
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                  • Opcode ID: c500d0d2c2e3577aebe045340e002f78995c2079b1560f170e6b058d0b110088
                                                                                                                                                                                                                  • Instruction ID: 4ef4054f6ee4e7af965332fd12f8af54bd90a73d3ad22d5d63b9e62f50dd1f66
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c500d0d2c2e3577aebe045340e002f78995c2079b1560f170e6b058d0b110088
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DF0BE39640629E6DF216A269C01B5B3758FF417A0B298757F918E6390CF20EC0A86E2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D8B7D Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,008C237D,00000002,00000000,?,?,?,007F2F12,?,00000004), ref: 008D8BAF
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                  • Opcode ID: 28222b86441b19e0262cc54574fe7aa8621cae4da302339aa3c1fc7fb413a70a
                                                                                                                                                                                                                  • Instruction ID: fa9e8f6e35402a84f078467dfa150489a620b594beb40dea5770b861496b2d15
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28222b86441b19e0262cc54574fe7aa8621cae4da302339aa3c1fc7fb413a70a
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EE06DB1141A24EEDA213B6A9C04F5B3758FB827B0F2607A3EC15E6390DF60ED0085A2
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008AC090 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,008ABE3F,00849684,?,?,BAAAADAB,?,?,BAAAADAB), ref: 008AC09A
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: InfoSystem
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 31276548-0
                                                                                                                                                                                                                  • Opcode ID: c06c55e9a7a76aae64d54b8a8465b0640e376fd05c0bda966c73e490737bdc4f
                                                                                                                                                                                                                  • Instruction ID: c274d32fc56a4274cd7de019c086ca4d50b2699e1cd38ffedff5317ecedb0c54
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c06c55e9a7a76aae64d54b8a8465b0640e376fd05c0bda966c73e490737bdc4f
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21E0C23094021C8BFB00FBF86C4AA9D37E8F70A300F500A21ED06E2643EB11E4A08B67
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008D0572 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 008D058F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                  • Opcode ID: 4036eeb9fe608e07721f7c1739a35c6b9634e0df21ec26eb9aee98cd40235b53
                                                                                                                                                                                                                  • Instruction ID: bbfa887a70aed0746708903dbe8af62ba0dcf72394f6de907e4946ed95503147
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4036eeb9fe608e07721f7c1739a35c6b9634e0df21ec26eb9aee98cd40235b53
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61D06C3200010DBBDF029F84DC06EDA3BAAFB48714F014100BA1856020C732E871EB90
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 00804750 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                    • Part of subcall function 007FAB00: CreateToolhelp32Snapshot.KERNEL32(00000002), ref: 007FAB63
                                                                                                                                                                                                                    • Part of subcall function 007FAB00: Process32First.KERNEL32(00000000,00000128), ref: 007FAB73
                                                                                                                                                                                                                    • Part of subcall function 007FAB00: Process32Next.KERNEL32(00000000,00000128), ref: 007FAB90
                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00820B4B,?,00000000), ref: 0080475F
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Process32$CopyCreateFileFirstNextSnapshotToolhelp32
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 646994977-0
                                                                                                                                                                                                                  • Opcode ID: 41020fe2cfb3e7b38520510f6757f73bf30c9f4aa7b84cdce86634df858e4123
                                                                                                                                                                                                                  • Instruction ID: 7372f8b413f8e055f39ed7781b2ad982004ae0d85ccdfd9a7ede2fa3490fb3a9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41020fe2cfb3e7b38520510f6757f73bf30c9f4aa7b84cdce86634df858e4123
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0C08C3220012062D220623A3C0EFAB4A9D9FC2930F36812AB008EA198DD58C84280A4
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                  Function 008AC1D0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • SystemFunction036.ADVAPI32(?,?), ref: 008AC1DE
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 0000000C.00000002.2581035824.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581017077.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581115078.00000000008F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581146123.0000000000929000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  • Associated: 0000000C.00000002.2581165656.000000000092D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_7f0000_3rB05VU.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Function036System
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2600738214-0
                                                                                                                                                                                                                  • Opcode ID: 5458fade2543060700ed744d2892e4ad6e9c32adf8e56f00e4343fd13486d2ef
                                                                                                                                                                                                                  • Instruction ID: 9b510eef8c455a9c5f00d857c6fdfab6e762324c8833fdccd53e869f7551d5e2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5458fade2543060700ed744d2892e4ad6e9c32adf8e56f00e4343fd13486d2ef
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2C08C3100050C66AE403FC4A801AB83B09FA13794B404091F92CC9823AB2299719685
                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                  Uniqueness Score: -1.00%